VMware patches holes
VMWare has announced updates for its Virtual Center, VMware Workstation, VMware Player, VMware ACE, VMware Server and VMware ESXi to resolve vulnerabilities. Only 64-bit versions of Windows and FreeBSD are affected, not Linux.
VMware manages to virtualise x86 code even on CPUs without Intel's VT or AMD's AMD-V hardware virtualisation extensions by running all Ring 0 code - the OS kernel and device drivers – through a software x86 emulator. It's in this emulator that the bug has been discovered - an error in the 64-bit CPU emulation makes the CM jump to the wrong address when it receives a JMP instruction.
According to the company, the bug hasn't been exploited to compromise a host, but it could result in privilege escalation.
The update also fixes a bug where user passwords are shown in the clear in Virtual Center, VMware ESX and ESXi and also brings the Java version up to date (to version 1.50_16). Details of the affected versions and the patch are available on VMware's site.
See also:
- Bug report from VMware with download links
(lghp)