Administrators can mitigate this vulnerability by using the kill bit
feature of Microsoft Windows to prevent the loading and execution of the
vulnerable ActiveX control. Administrators must use the Class identifier
(CLSID) of the vulnerable ActiveX control to disable the control. The affected
Instructions for setting the kill bit in Microsoft Windows are
available at the following link:
Note: Kill bit settings are permanent. The settings
must be removed to regain Cisco Secure Desktop functionality. After an
administrator has updated the Cisco Secure Desktop software to a fixed version
on VPN portal devices, the kill bit must be removed from Microsoft Windows
clients in order to allow the Cisco Secure Desktop software to be upgraded.
Once the kill bit is removed, clients may be vulnerable until a fixed Cisco
Secure Desktop version is installed.
Update: Cisco Secure Desktop software version 3.5.1077
replaces the old, vulnerable ActiveX CLSID with a newly issued CLSID. New
installations and upgrading from an older version of Cisco Secure Desktop will
use the new CLSID. Once the software upgrade has been installed on client
systems, administrators can safely and permanently implement the ActiveX kill
bit workaround for the old CLSID in their environment.
Additional mitigation techniques that can be deployed on Cisco devices
within the network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory: