On the same day that Cisco issued 12 advisories addressing vulnerabilities in its product line –all but one resolved via updates – Google yesterday announced the stable release of Chrome 53, which contains 33 of its own security fixes.
Of the dozen flaws Cisco disclosed in its alert, two are critical: an SNMP (Simple Network Management Protocol) unauthorized access vulnerability in Cisco Small Business 22 Series Smart Plus Switches, and an arbitrary code execution vulnerability in its WebEx Meetings Player.
The former could allow a remote attacker to gain unauthorized access to SNMP objects on an affected device “due to the presence of a default SNMP community string that is added during device installation and cannot be deleted,” Cisco explained in its alert. The latter vulnerability stems from the improper handling of user-supplied files and could allow remote attackers to execute code upon tricking users into opening a malicious file on the WebEx software.
Cisco resolved all of the disclosed flaws with firmware or software updates, except for an authenticated directory traversal vulnerabilities in the web interface of Cisco Hosted Collaboration Mediation Fulfillment. This medium level threat, if exploited, could allow a remote attacker to access arbitrary files on the system.
Meanwhile, Google’s release of Chrome 53 for Windows Mac and Linux, which will roll out over the coming weeks, includes fixes for 13 high-level security issues. Google is withholding details until most users have been updated. However, the bugs have been categorized as universal cross-site scripting in the Chromium browser engine Blink; script injections in extensions; user-after-free in Blink, PDFium and event bindings; heap overflow in PDFium; use-after-destruction in Blink; and address bar spoofing.