Sponsored By

Virtualization: Just Another Layer Of Software To Patch?

Researchers at Core Security have issued an advisory warning users of a significant security flaw in a number of VMware desktop apps that could allow attackers to gain complete access to the underlying operating system.

2 Min Read

Researchers at Core Security have issued an advisory warning users of a significant security flaw in a number of VMware desktop apps that could allow attackers to gain complete access to the underlying operating system."What's most relevant about this vulnerability is it demonstrates how virtual environments can provide an open door to the underlying infrastructures that host them," said Iván Arce, CTO at Core Security Technologies, in a statement.

The vulnerability affects VMware Workstation, Player, and ACE software. It is only exploitable when Shared Folders are enabled -- which is a default setting -- and at least one folder on the Host system is configured for sharing.

For enterprise users, this flaw doesn't affect VMWare's level 1 virtualization platforms, such as ESX. But on Thursday, the virtualization software maker did release a handful of vulnerabilities that do affect ESX. These flaws enable you to gain access to data and bypass security controls.

One of the first software applications I installed when I bought a MacBook Pro last summer was Parallels. After the initial amazement of running my Windows apps on my Mac wore off, I uninstalled it. I had quickly realized the level of complexity -- and risk -- I was bringing to my primary OS X operating system.

I'm much happier with Boot Camp. It runs at native speed. It doesn't hang. And I can harden it down and not worry, should it become comprised, that my primary OS also is at risk.

As for the current VMware flaw, Core Security recommends the following remedial actions:

"

  • Disable Shared Folders for all virtual machines that use the feature.

  • If the Shared Folders feature is required, configure it for read-only access.

  • If the Shared Folders feature is required, implement appropriate file system monitoring and access control mechanisms on the Host operating system.

  • Upgrade your VMware software to a nonvulnerable version.

"

(Don't you always just appreciate it when vendors suggest you UPGRADE your way out of a vulnerability?)

About the Author(s)

George V. Hulme, Contributing Writer

Contributor

An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at InformationWeek.com.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights