BRUSSELS - July 7, 2006 - Internet Security Systems, Inc. (ISS) (NASDAQ:
ISSX), the worldwide leader in pre-emptive, enterprise security, today announced that its X-ForceR research and development team discovered a serious vulnerability in the ActiveX control used by the popular Web conferencing software, WebEx. ISS has worked closely with the company to resolve the vulnerability and according to WebEx, there have been no reported cases of users adversely affected by the now resolved vulnerability.
ISS X-Force has discovered a remotely exploitable vulnerability in the WebEx ActiveX control used to install the WebEx client on a user's machine when attending or hosting a meeting. WebEx uses ActiveX to download the software components needed for a meeting. With this vulnerability, the ActiveX control did not check the validity of the content or source of these additional components, which made it susceptible to attackers who have crafted a custom Web page to cause the WebEx ActiveX control to download and place malicious code on a user's machine.
WebEx has already updated customer sites and users' ActiveX controls are automatically upgraded when they access the service. WebEx has also made a website available for individuals interested in manually updating their installer,
http://www.webex.com/go/advisory.
"WebEx is widely used and trusted by organizations of all types and sizes,"
said Gunter Ollmann, director of ISS X-Force. "This widespread distribution of the vulnerable client ActiveX agent means that many workstation hosts within an organization may be the focus of an attack by merely browsing a malicious website."
If machines are exploited by this vulnerability, WebEx users could unknowingly expose confidential information to attackers or allow them to obtain access to and control over additional assets on a corporate network.
Compromise of corporate IT assets and classified information can lead to severe losses in productivity, finances and business reputation.
ISS has provided customers with pre-emptive protection for this flaw through its ProventiaR security platform. ISS' preemptive technology is based on the research and discoveries of its X-Force research and development team. By protecting against vulnerabilities rather than known exploits, ISS' Virtual
Patch(tm) technology keeps organizations ahead of Internet threats until they are able to obtain, test and apply patches from affected vendors.
The ISS X-Force advisory on this vulnerability can be found at: http://xforce.iss.net/xforce/alerts/id/226 About Internet Security Systems, Inc.
Internet Security Systems, Inc. (ISS) is the trusted security advisor to thousands of the world's leading businesses and governments, providing preemptive protection for networks, desktops and servers. An established leader in security since 1994, ISS' integrated security platform automatically protects against both known and unknown threats, keeping networks up and running and shielding customers from online attacks before they impact business assets. ISS products and services are based on the proactive security intelligence of its X-ForceR research and development team - the unequivocal world authority in vulnerability and threat research.
ISS' product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the Internet Security Systems Web site at
www.iss.net or call +32 (0)2 479 67 97.
Internet Security Systems and Virtual Patch are trademarks and X-Force and Proventia are registered trademarks of Internet Security Systems, Inc. All other companies and products mentioned are trademarks and property of their respective owners.