In association with heise online

14 April 2009, 14:53

VMware update prevents host code execution

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

VMware has released security updates for its hosted products to patch a critical vulnerability that allowed a guest operating system to execute code on its host. Host systems should not be affected by guest operating systems and the vulnerability represents a significant threat, as it could be used by the guest to infect the host with malware. VMware does not provide the exact details of the vulnerability, however, it is likely caused by a virtual device driver error related to the Display Function and the Framebuffer.

Affected versions include:

  • VMware Workstation <= 6.5.1
  • VMware Player <= 2.5.1
  • VMware ACE <= 2.5.1
  • VMware Server 2.0
  • VMware Server <= 1.0.8
  • VMware Fusion <= 2.0.3
  • VMware ESXi 3.5 without Patch ESXe350-200904201-O-SG
  • VMware ESX 3.5 without Patch ESX350-200904201-SG
  • VMware ESX 3.0.3 without Patch ESX303-200904403-SG
  • VMware ESX 3.0.2 without Patch ESX-1008421

An exploit, called Cloudburst, using the vulnerability has already been demonstrated on video by Immunity under Windows Vista.

See also:

(crve)

Print Version | Send by email | Permalink: http://h-online.com/-741143
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit