• E-mail this page
• |  Print this page
• | 
• | 
• | 

Virtualization: Just Another Layer Of Software To Patch?

Researchers at Core Security have issued an advisory warning users of a significant security flaw in a number of VMware desktop apps that could allow attackers to gain complete access to the underlying operating system.

"What's most relevant about this vulnerability is it demonstrates how virtual environments can provide an open door to the underlying infrastructures that host them," said Iván Arce, CTO at Core Security Technologies, in a statement.

The vulnerability affects VMware Workstation, Player, and ACE software. It is only exploitable when Shared Folders are enabled -- which is a default setting -- and at least one folder on the Host system is configured for sharing.

For enterprise users, this flaw doesn't affect VMWare's level 1 virtualization platforms, such as ESX. But on Thursday, the virtualization software maker did release a handful of vulnerabilities that do affect ESX. These flaws enable you to gain access to data and bypass security controls.

One of the first software applications I installed when I bought a MacBook Pro last summer was Parallels. After the initial amazement of running my Windows apps on my Mac wore off, I uninstalled it. I had quickly realized the level of complexity -- and risk -- I was bringing to my primary OS X operating system.

I'm much happier with Boot Camp. It runs at native speed. It doesn't hang. And I can harden it down and not worry, should it become comprised, that my primary OS also is at risk.

As for the current VMware flaw, Core Security recommends the following remedial actions:

Disable Shared Folders for all virtual machines that use the feature.

If the Shared Folders feature is required, configure it for read-only access.

If the Shared Folders feature is required, implement appropriate file system monitoring and access control mechanisms on the Host operating system.

Upgrade your VMware software to a nonvulnerable version.

(Don't you always just appreciate it when vendors suggest you UPGRADE your way out of a vulnerability?)

« Ubuntu: Linux's Obama (Sort Of) | Main | Windows Vista Childbirth Pack 1 »