New VMware Releases

VMware Server Version 1.0.5 (free) / http://www.vmware.com/download/server
  • A security vulnerability in OpenSSL 0.9.7j could make it possible to forge a RSA key signature. VMware Server 1.0.5 upgrades OpenSSL to version 0.9.7l to avoid this vulnerability.
  • An internal security audit determined that a malicious user could attain and exploit LocalSystem privileges by causing the authd process to connect to a named pipe that is opened and controlled by the malicious user. In this situation, the malicious user could successfully impersonate authd and attain privileges under which authd is executing.
  • An internal security audit determined that a malicious user could exploit an insecurely created named pipe object to escalate privileges or create a denial-of-service attack.
  • This release updates the libpng library to version 1.2.22 to remove various security vulnerabilities.
  • A vulnerability in VMware Workstation running on Windows allowed complete access to the host's file system from a guest machine. This access included the ability to create and modify executable files in
    sensitive locations.
  • The authd process read and honored the vmx.fullpath variable in the user-writable file config.ini, creating a security vulnerability.
  • The config.ini file could be modified by non-administrator to change the VMX launch path. This created a vulnerability that could be exploited to escalate a user's privileges.

VMware Workstation 6.0.3 / http://www.vmware.com/download/ws

  • On Windows hosts, if you have configured and enabled a shared folder, it is possible for an attacker to write arbitrary content from a guest system to arbitrary locations on the host system.
  • An internal security audit determined that a malicious user could attain and exploit LocalSystem privileges by causing the authd process to connect to a named pipe that is opened and controlled by the malicious user. In this situation, the malicious user could successfully impersonate authd and attain privileges under which Authd is executing.
  • This release updates the libpng library to version 1.2.22 to remove various security vulnerabilities.
  • This release updates the OpenSSL library to address various vulnerabilities to denial-of-service attacks and buffer overflows.
  • Workstation 6.0.2 allowed anonymous console access to the guest by means of the VIX API. This release, Workstation 6.0.3, disables this feature. This means that the Eclipse Integrated Virtual Debugger and the Visual Studio Integrated Virtual Debugger will now prompt for user account credentials to access a guest.

VMware Player 2.0.3 (free) /
http://www.vmware.com/download/player

  • On Windows hosts, if you have configured and enabled a shared folder, it is possible for an attacker to write arbitrary content from a guest system to arbitrary locations on the host system.
  • Ubuntu 7.04 virtual machines sometimes power off unexpectedly if paravirtual kernel support is enabled.

VMware ACE 2.0.3 /
http://www.vmware.com/download/ace

Also, you can find VMware Server 2.0 Beta (free) here:

Posted by Gabriel Maciel

No comments: