Image

A vulnerability in the custom application permissions handling for Cisco WebEx Meetings for Android could allow an unauthenticated, remote attacker to change platform-specific permissions of a custom application. The vulnerability is due to the way custom application permissions are assigned at initialization. An attacker could exploit this vulnerability by downloading a malicious Android application to the mobile device. An exploit could allow the attacker to utilize the custom application to silently acquire the same permissions as the WebEx application.In other words, you might be tricked into downloading an Android game or flashlight utility which *doesn't* ask for permission to access your address book, your photographs, your microphone, camera, and more... but then exploits the bug in the WebEx Meetings to do precisely that, without any permissions warning being displayed. Fortunately, Cisco has seen no evidence that the security hole has been exploited in malicious attacks. That's great news, but it's clear that businesses will want to ensure that their staff are only running the latest version of the WebEx Meetings app on their Android devices, as company sensitive information could potentially be put at risk. Cisco says that the only way to fix the problem is to update the WebEx Meetings app on your Android device - no alternative mitigations are available. I would also advise only downloading apps from the official Google Play store. Although Google doesn't have a spotless record when it comes to keeping malware out of its official Android app store, it's clearly a good deal safer than third-party sites. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.