VMware fixes security bugs

VMware has identified and fixed seven security bugs in the free version of its hypervisor, which could let hackers launch denial-of-service, change user privileges and forge RSA key signatures.

VMware identified the problems in VMware Server, the company’s free server virtualization software, and fixed them in newly released version 1.0.5.  VMware first reported the problems Monday, according to a Secunia security advisory, which classifies the vulnerabilities as "less critical." Users should upgrade to version 1.0.5 to avoid potential security problems.
VMware conducted an internal security audit that found an insecurely created object that malicious users could exploit to "escalate privileges or create a denial-of-service attack," VMware states on its Web site.

Two other bugs also let users attain privileges they’re not entitled to.

One vulnerability that lets users forge RSA key signatures was solved by upgrading VMware Server to a newer edition of OpenSSL, an open source security toolkit.

The vendor also found that VMware Workstation – which lets multiple operating systems run concurrently on a single PC – contained a vulnerability while running on Windows that allows a guest machine complete access to a host’s file system, including the "ability to create and modify executable files in sensitive locations."

VMware, the market share leader in server virtualization, has publicly put a high priority on security recently, with the release of a new set of APIs that gives security vendors access to its hypervisor. This should lead to better protection against viruses, Trojans and keyloggers in the future, VMware says.