An Adobe Wannbe?
Cisco seems to be trying to overtake Adobe and Slurp for the production of the most dangerous malware people are forced to use.
Malicious websites can remotely execute commands on Windows systems that have Cisco WebEx's Chrome extension installed. About 20 million people actively use this broken software. All attackers need to know is a “magic URL” hidden within WebEx, Google Project Zero bug hunter Tavis Ormandy revealed on Monday. We think a secret " …
They've made a good effort in doing just that with this little beauty.
I honestly don't know how anyone could ever write the code for such a thing at any point in the past 20 years and not stop what they're doing. It must take a special kind of blindness (I'm being generous in not using words like lunatic, idiot, numpty, raving moron) to be able to do it. Presumably someone else somewhere in Cisco reviewed the code and also failed to spot it?
If that's what they do with things like a browser plug in, what's their router source code like?!
I honestly don't know how anyone could ever write the code for such a thing ...
Because "Knowledge Work" is becoming a lot like the assembly lines of old. Programmers are just "hands", waiting in lines outside the virtual factory gates. Fungible resources traded on the global "Marketplace". That attitude is of course returned within the work that they do.
The attitude is: ""I" don't know these people "I" am working for, the pay is shit and they don't care about me, so who cares what happens to them and their bullshit business!? I do *exactly* what they paid for, *nothing* else."
I left IT to go back to Electrical Engineering, because, more and more "we" relied on "gig programmers", consultants and people in India or Ukraine (with the Indians one spent as much time arguing and fixing their crap as one would have done coding it) the Ukrainians were good, however, if "you" are not equally good - how does one know that they didn't slip something Extra in, for their other jobs, with Mob, NSA or FSB?
The consultants cars got ever crappier, so, I figured it was time to leave before that person in the shoddy vehicle would be me.
Cisco are now inadvertently promoting themselves as an attack vector; their clients who trust their brand, now have to rethink the trust that they have invested in Cisco network equipment. The culture within Cisco development and test teams needs to be addressed. The code base that created this plug in needs to be audited, the worry is, was this deliberate? Did Cisco hire a developer who had ulterior motives when he/she was writing the code?
>was this deliberate?
Yeah, that's a good question. The assumption most of you have so far is that it was just a nitwit or dishonest dev. Just because this is a massive fail doesn't mean it didn't take time to set up and why would a dev do it on her/his own initiative? That stupid? And it never got caught by QA/reviews?
On the other hand, could it be a magic, lazy, get-out-of-jail free feature? Just in case something goes really wrong and you want to figure out what's going on, customer-side. You have a backdoor and you use it.
Not really different from a secret hardcoded, unchangeable, root password, is it? And we never see those either, of course. But, if that's the case, then don't call that a bug, please, because it would have been sanctioned at higher levels than individual incompetent devs.
Of course, the fact that it nukes security is irrelevant. It's more important that it solves Cisco/insert-other-dodgy-vendors' support problems.
Crap movies have The Razzies
Why not have an award for appealingly buggy software?
I suggest that El Reg is the right place to host it; what do you think?
Suggested topics could include:
Most Insecure software
Phone producers with the most bloatware
Corporation with most leaks
Corporation with most spyware
Website with crappiest interface
Website with most offensive/in-your-face adware
This would be difficult to police and to manage. The idea of putting bad products / software / hardware onto some sort of naughty step, sounds good until you start to think through how it would work. If someone fixes their software bug, do they have a right to be removed from this red banner board, who is going to do that for them and which independent party is going to test their software to verify that the bug has disappeared. I think that some form of accreditation might be more workable, this would require a software house to pay for the testing to take place in order to get a Good/Healthy software kite mark. There are precedents for this such as fire safety regulations for electrical appliances when the law requires that manufactures who sell in the UK must comply with certain legal requirements.
Probably the very same coders.
The facts:
Adobe's been laying off programmers, mostly the terrible ones.
Cisco has been desperate to hire programmers with experience in coding multi-media applications.
Cisco and Adobe's offices are within shouting distance.
So, I would assume that the programmers that got laid off from Adobe would be going to Cisco. Fairly easy transition, what with staying in the same niche and the commute is not altered that much. So the same morons that botched Flash probably now have their greasy mitts all over Cisco's code.
Two Words: Skype For Business!
"It's Free!" Says your penny-pinching manager!
We ditched something else (can barely remember what it was) for WebEx a couple years ago. Now we're ditching WebEx for Skype. I'm sure when that proves unusable we'll go either back to Option A or perhaps find Option D.