VMWare Software Vulnerability Discovered

virtualization Windows software computer

"What's most relevant about this vulnerability is it demonstrates how virtual environments can provide an open door to the underlying infrastructures that host them," said Core Security's CTO Ivn Arce. He said organizations often adopt virtualization technologies with the assumption that the isolation between the host and guest systems will improve their security posture, but this discovery acts as a "wake-up call" for IT managers' security.

"It is signals that virtualization is not immune to security flaws and that 'real' environments aren't safe simply because they sit behind virtual environments," he said.

CoreLabs, the research center of Core Security Technologies, discovered the vulnerability affects VMware Workstation, Player and ACE software and it is only exploitable when shared folders are enabled and at least one folder on the host system is configured for sharing. The announcement comes on the eve of VMWare's first annual VMworld Europe conference.

VMWare acknowledged the flaw and has told users to disable shared folders, and said the vulnerability isn't present in its server line because VMware Server and ESX Server do not use shared folders. Core Security also recommended disabling shared folders, or, if the shared folders feature is required, to reconfigure it for read-only access.

This is the second security alert in as many weeks for the Palo Alto-based company. On February 22 VMWare issued patches to fix vulnerabilities in its ESX Server, which could allow hackers to circumvent security controls and view sensitive information.