The flaw is in the WebEx ActiveX control used to install the WebEx client on a user's machine for attending or hosting meetings. The control is designed to be an installer of objects for WebEx by taking requests from legitimate sources to download and install additional content, said Gunter Ollman, director of ISS X-Force.
"Unfortunately the vulnerability lies in the fact that you don't have to be WebEx to make calls to this particular control," Ollman said. "So anyone can make calls to this control to install whatever software they wanted to any place on the system."
WebEx has already updated customer sites, and users' ActiveX controls are automatically upgrated when they access the server. But Ollman warned users who use WebEx only sporadically that they are at risk of attack if they haven't used the client recently. Users can also find a way to manually update the control on the WebEx website.
Ollman said that this vulnerability highlights the risks of soft client applications such as web conferencing, toolbars and small footprint VoIP applications.
"We get asked by customers to look at key threats that they see are going to be coming up," he said. "One of the hot topics for a lot of these organizations [is] web conferencing software because frankly they use it throughout the organization and it is yet another third-party applications they have no control over and it is installed by users."