Vulnerability found in VMware’s desktop virtualisation

The vulnerability could allow an attacker to create or modify executable files on the host operating system, says Iván Arce, CTO at Core Security Technologies. The company’s discovery demonstrates that thousands of companies with virtualised systems could unknowingly be exposing critical information. Core has now released code, enabling users to validate that the vulnerability exists, prove that it can be exploited, and safely assess the consequences of a network intrusion. “What’s most relevant about this vulnerability is it demonstrates how virtual environments can provide an open door to the underlying infrastructures that host them,” says Arce. “Organisations often adopt virtualisation technologies with the assumption that the isolation between the host and guest systems will improve their security posture. This vulnerability provides an important wake-up call to security-concerned IT practitioners. It is signals that virtualisation is not immune to security flaws and that ‘real’ environments aren’t safe simply because they sit behind virtual environments.”