A critical glitch in VMware’s virtualisation software for Windows lets attackers escape the "guest" operating system and modify the underlying "host" operating system, the company has admitted.
The flaw, affecting virtualisation programs such as Workstation, Player and ACE, was the second security-related notice posted by VMware in a week – as analysts repeated warnings about the increased use of virtual machines.
On Sunday, VMware still had no patch available for the reported bug. However it says its virtual machine software for Windows servers and for Mac- and Linux-based hosts are not at risk.
The bug was brought to light by Core Security Technologies, makers of the penetration-testing framework Core Impact. Because it is found is in the shared-folder feature of VMware’s Windows client-based virtualisation software, the company has advised users to disable these.
Shared folders let users access certain files, usually documents and other application-generated files, from the host operating system and any virtual machine on that physical system.
"On Windows hosts, if you have configured a VMware host-to-guest shared folder, it is possible for a program running in the guest to gain access to the host's complete file system and create or modify executable files in sensitive locations," confirmed VMware.
The company insisted the vulnerability isn't present in its server line of virtual machine software, because VMware Server and ESX Server do not use shared folders. Newer versions of VMware's Windows client virtualisation tools also disable shared folders by default, it added. Users must manually activate the feature to be vulnerable.
A similar bug was reported by VeriSign's iDefense Labs to VMware in March 2007. VMware patched it about a month later.
Last week, VMware also patched its ESX Server line to quash five bugs that could be used to slip past security restrictions, launch denial-of-service attacks or compromise virtualised systems.
Researchers and IT administrators have previously noted the security problems created by reliance on increased virtual machines, particularly on enterprise servers. After the latest VMware glitch, an analyst at the SANS Institute's Internet Storm Center (ISC) extended that warning to desktop virtualisation users, particularly security professionals.
"We make an extensive use of virtualisation technologies for multiple purposes: malware analysis, incident response, forensics, security testing, training [and so on], and we typically use the client versions of the products," said Raul Siles in a post to the ISC blog. "It is time to disable the shared-folder capabilities."