Cisco has plugged a buffer overflow flaw involving its popular WebEx online meeting client.

The vulnerability, which involves a bug in an ActiveX control, was revealed in a posting by security researcher Elazar Broad on 6 August, more than a week before Cisco issued an advisory on Friday (15 August). Cisco told Broad it was already aware of the problem and that a fix was already in the works.

Programming errors in the WebexUCFObject ActiveX control create a means for hackers to inject hostile code onto vulnerable systems. Exploitation would involve the standard method of tricking users into visiting maliciously constructed websites, possibly lured there by means of targeted emails aimed at senior execs in particular organisations.

Security clearing house US CERT's summary of the bug can be found here. ®

Related stories

• Cisco's solid quarter and recession-survival lessons (6 November 2008)
• Reg competition: Cisco goes isup (29 September 2008)
• Cisco eyeballs IBM and Microsoft with SaaS conferencing (24 September 2008)
• New Yorker gets 30 months for bogus Cisco gear (31 July 2008)
• Jumbo bug crashes Cisco anti-hacker appliances (19 June 2008)
• Cisco breaks cycle with IOS patch (22 May 2008)
• Cisco-baiting security co goes titsup (20 March 2008)
• Cisco hops onto patching treadmill (6 March 2008)
• Cisco's Web 2.0 enthusiasm helps profits climb (8 August 2007)
• Cisco Borgs WebEx (15 March 2007)
• WebEx sues Citrix for cybersquatting (4 February 2005)
• Web Conferencing – Ready for Prime Time (11 July 2003)