Virtual infrastructure software maker VMWare Inc. has rushed out fixes for a “very serious” security flaw that put users of its product line at risk of code execution attacks.
The vulnerability, which affects both Windows and Linux systems, affects VMware Workstation 5.5, VMware GSX Server 3.2, VMware ACE 1.0.1 and the free VMware Player 1.0. All previous versions of these products are also affected.
VMWare, of Palo Alto, Calif., acknowledged the vulnerability in a published advisory and warned that it is possible for a malicious guest using a NAT networking configuration to execute unwanted code on the host machine.
The company rates the vulnerability as “very serious” and recommends that affected users apply the updates provided or change the configuration of the virtual machine so it does not use NAT networking.
“If you choose not to update your product but want to ensure that the NAT service is not available, you can disable it completely on the host,” VMWare said.
The flaw presents the biggest risk to malware researchers who use VMWares virtual computing software during the audition of virus, spyware and rootkit files. It could allow a malicious hacker to sidestep the virtual machine and exploit the underlying operating system.
“Since VMware is used heavily in malware research, this is an obvious danger,” said Alex Eckelberry, president of anti-spyware vendor Sunbelt Software Inc. “If youre running [Windows] XP and youre running VMWare, the exploit could jump out of the virtual session and affect the underlying system.”
Jim Clausing, an incident handler with the SANS ISC (Internet Storm Center) said the risks are significant for VMWare customers who use the affected product for malware analysis or to isolate/sandbox Web browsing.
In an interview, Clausing warned that there is a Metasploit module that provides a successful exploit of the vulnerability. “If youre using VMWare, you should be updating to the latest builds immediately, or you should be disabling NAT,” he said.
Tim Shelton, the researcher credited with reporting the flaw, has published a proof-of-concept demonstration that shows how the buffer can be overwritten to launch exploit code.
Security alerts aggregator Secunia rates the flaw as “moderately critical.”
The security hiccup comes at a sensitive time for VMWare. Earlier this month, the company released the VMWare Player as a free download to Windows and Linux users. In addition, VMWare announced a partnership with Mozilla Corp. to deliver the Browser Appliance, a virtual machine powered by Firefox that allows users to securely browse the Internet.
At the time, the company said the Firefox Browser Appliance can be combined with the VMware Player to protect against adware, spyware and other malware and to protect personal information.
