VMware repairs security bugs

By Dave Nixon

VMware has acknowledged and fixed seven security bugs in the free edition of its hypervisor, which may possibly let hackers launch denial-of-service attacks, change user privileges and forge RSA key signatures.

VMware identified the troubles in VMware Server, the company’s free server virtualisation software, and repaired them in recently released version 1.0.5. VMware initially reported the problems Monday, according to a Secunia security advisory, which classified the vulnerabilities as “less critical.”

VMware performed an internal security audit that established an insecurely created object that malicious users could take advantage of to “escalate privileges or create a denial-of-service attack,” VMware states on its website.

Two supplementary bugs in addition let users attain privileges they’re not entitled to.

One vulnerability that allows users forge RSA key signatures was resolved by upgrading VMware Server to a newer edition of OpenSSL, an open source security toolkit.

The vendor also established that VMware Workstation - which lets various operating systems run concurrently on a single PC - enclosed a vulnerability while running on Windows that permits a guest machine complete access to a host’s file system, including the “ability to create and modify executable files in sensitive locations.”