Channel Register

Original URL: http://www.channelregister.co.uk/2007/09/24/vmware_update/

VMware updates take aim at bug swarm

By John Leyden
Published Monday 24th September 2007 14:57 GMT

Wall Street darling VMware released patches that address multiple vulnerabilities in its products this week.

The virtualisation firm, which recently went public, issued updates to fix bugs in various versions of VMware ACE, VMware Player, VMware Server and VMware Workstation.

The flaws range in severity, with some allowing malicious users to crash vulnerable systems or local users to gain escalated privileges, while others enable hackers to inject malicious code into vulnerable systems.

Security notification firm Secunia has a summary of the update here (http://secunia.com/advisories/26890). Credit for discovering the bugs goes to security researchers at ISS, McAfee, and Foundstone.

A more detailed summary of the bugs can be found on a posting by VMWare on a full disclosure mailing list here (http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065902.html).

Many of the updates address vulnerabilities in underlying third-party code that have been known about for some time, the SANS Institute's Internet Storm Centre (ISC) notes. The increased use of virtualisation in corporate data centres and elsewhere has raised the profile of the technology.

Handlers at the ISC describe how the technology is showing signs of becoming a battleground between security researchers and crackers, as well as outlining a possible response, in a thought-provoking posting here (http://isc.sans.org/diary.html?storyid=3411). ®

© Copyright 2008