Enlarge (credit: Getty Images)

Cisco has patched its Jabber conferencing and messaging application against a critical vulnerability that made it possible for attackers to execute malicious code that would spread from computer to computer with no user interaction required. Again.

The vulnerability, which was first disclosed in September , was the result of several flaws discovered by researchers at security firm Watchcom Security. First, the app failed to properly filter potentially malicious elements contained in user-sent messages. The filter was based on an incomplete blocklist that could be bypassed using a programming attribute known as onanimationstart.

Messages that contained the attribute passed directly to DOM of an embedded browser. Because the browser was based on the Chromium Embedded Framework, it would execute any scripts that made it through the filter.

Enlarge (credit: Cisco )

Cisco is rolling out fixes for three vulnerabilities in its Webex video-conference software that made it possible for interlopers to eavesdrop on meetings as a “ghost,” meaning being able to view, listen, and more without being seen by the organizer or any of the attendees.

The vulnerabilities were discovered by IBM Research and the IBM’s Office of the CISO, which analyzed Webex because it’s the company’s primary tool for remote meetings. The discovery comes as work-from-home routines have driven a more than fivefold increase in the use of Webex between February and June. At its peak, Webex hosted up to 4 million meetings in a single day.

The vulnerabilities made it possible for an attacker to: