Earlier this summer Cisco release the following security advisory for Anyconnect and CSD. The advisory warns of an exploit within the ActiveX and Java applet that are used to web-deploy Anyconnect and CSD. The exploit allows for abitrary code execution that will run at the priviledge level of the user.
As a quick summary:
1) A code exploit was discovered and reported to Cisco within CSD and Anyconnect software.
2) Cisco patched the software and released new version with the fix - June/July 2012
3) Cisco removed the vulnerable versions from cisco.com - June/July 2012
4) Cisco has asked Microsoft and Oracle to push the "kill bits" for the applets that are vulnerable
5) It is expected that Microsoft on Sept 11 2012 will be pushing the "kill bit" (patch Tuesday) with KB2736233
6) It is expected that Oracle will be pushing the equivilant "java hash" in a future update
After receiving the "kill bit" update from Oracle or Microsoft the end user will no longer be able to use web-start to initiate the vpn connection. The end user will see the following screens from within the browser.
a) Sample screen shot in Internet Explorer (ActiveX applet)
Note: User will not see the capability to let the applet run, as it has be denied due to kill-bit. After ActiveX fails the browser will try to run Java.
b) Sample screen shot of Java Applet
Users will just start seeing these error messages after their system has had the security updates applied from Microsoft and/or Oracle.
So the good news is this is easy to fix:
All the vulerenable versions of AnyConnect and CSD have already been removed from Cisco.com. As a result if you just download a current version from the website it will have the fix in it.
Generally it is a good idea to stick with the same version that you are running so if you are current running:
Anyconnect 2.5.xxxx upgrade to 2.5.6005 or later
Anyconnect 3.0.xxxx upgrade to 3.0.10055 or later
Alternatively you could upgrade to the latest 3.1 version.
For CSD upgrade to Cisco Secure Desktop 3.6.6020 or later.