Security update for Cisco's Secure Desktop
Cisco has released version 126.96.36.199 of its Cisco Secure Desktop (CSD) for download. This fixes three vulnerabilities. For example, CSD records some session information outside the CSD vault during automatic display of a homepage when an SSL-VPN connection is established. The CSD vault serves to hold user data in a secure environment for protection against unauthorised access during operation and after. The flaw could under certain circumstances allow spying on the surf history and the cache once CSD has terminated.
Another error in CSD allows users to switch between specific programs on the Secure Desktop and the operating system's normal, invisible desktop, even if the configuration expressly forbids this. It is also possible for users to achieve elevated access rights on the system by exchanging specific CSD binaries for their own programs – the update removes the user's write privileges for the CSD installation folder.
- Multiple Vulnerabilities in Cisco Secure Desktop, error report from Cisco
- Cisco Secure Desktop Privilege Escalation Vulnerability, error report from iDefense