Cisco has rolled out patches for several critical flaws affecting the Jabber clients for Windows, MacOS, and the mobile apps for iOS and Android.
The flaws are bad, with the worst having a severity rating of 9.9 out of a possible 10. What's worse, the flaws were meant to have been fixed three months ago[1] in updates for Jabber, shortly after researchers released proof-of-concept exploit code for the wormable bugs, which can be exploited via an instant message.
Jabber is Cisco's widely-used enterprise chat and instant-messaging platform, which it acquired in 2008. The app is based on the Chromium Embedded Framework (CEF)[2], which allows developers to embed a natively sandboxed Chromium-based web browser in their applications.
SEE: Network security policy[3] (TechRepublic Premium)
Cisco says the bugs allow an attacker to "execute arbitrary programs on the underlying operating system with elevated privileges or gain access to sensitive information". Customers have no other option but to install the latest updates to prevent attacks.
Norwegian security outfit Watchcom found earlier this year that Jabber was vulnerable to cross-site scripting (XSS) through XHTML-IM messages. Jabber did not properly sanitize incoming HTML messages and instead passed them through a faulty XSS filter.
Cisco notes that the new message-handling vulnerabilities can be exploited if an attacker can send Extensible Messaging and Presence Protocol (XMPP) messages to end-user systems running Cisco Jabber.
"Attackers may require access to the same XMPP domain or another method of access to be able to send messages to clients," Cisco notes in an advisory[4].
The three incompletely fixed bugs are tracked as CVE-2020-26085, CVE-2020-27127, and CVE-2020-27132.
Watchcom reported four vulnerabilities to Cisco earlier this year, and they were disclosed by the networking giant in September. But three of them