VMware issues 'critical' security alert

Attackers exploiting a VMware flaw would have the ability to run code

VMware has warned of a 'critical' vulnerability in several of the company's virtualisation products.

The issue exists in a shared folders feature which allows guest access to files.

An advisory released by the company warned that an attacker with access to a guest folder could exploit the vulnerability to gain complete access to the machine running VMware.

The attacker would also have the ability to run code, allowing for the remote installation and execution of malware.

The vulnerability affects the Windows versions of VMware Workstation 6.0.2 and earlier versions, Player 2.0.2 and earlier and ACE 2.0.2 and earlier. VMWare Server, ESX Server or any Mac or Linux VMWare products are not affected.

The company credited security firm Core Security Technologies with discovering the flaw.

Sans researcher Raul Siles pointed out that the flaw could pose the greatest danger to the very people who fight malware.

"The impact on production environments is supposed to be limited as they tend to use the server versions," Siles wrote on a company blog.

"However, as security professionals, we make extensive use of virtualisation technologies for malware analysis, incident response, forensics, security testing, training etc, and we typically use the client versions of the products. "

There is no fix for the flaw currently available. VMware urged users to protect against the attack by disabling the shared folders feature.

VMware Security Alert: Critical VMware Security Alert for Windows-Hosted VMware Workstation, VMware Player, and VMware ACE