VMware pledges to improve security, considers scheduling patch updates

More than 1,700 VMUG members respond to survey with insightful info that could help shape future security processes

It used to feel like Patch Tuesday was a problem that only Microsoft had to deal with. As Microsoft Windows was the major operating system deployed, it only made sense that this was where hackers preferred to spend most of their time creating malware, viruses, and exploits.

But as virtualization and cloud computing become the new top-level OS, as it were, within the data center, the hypervisor layer is becoming a more attractive target for breaches and attacks. Would-be hackers going after a virtualized data center will look for vulnerabilities within the hypervisor, the virtual machines, or the virtual networks in hopes of being able to find an exploit that can help them get their hands on the keys to the entire kingdom.

[ Also on InfoWorld: GreenBytes attacks storage costs and IO bottlenecks within VDI | The future looks bright for VMware Flings | Track the latest trends in virtualization in InfoWorld's Virtualization Report newsletter. ]

For years, it seemed as though VMware only had to be concerned with Microsoft guest OS security issues. But as the hypervisor became more and more commonplace within the data center, the target on VMware's back seemed to expand.

VMware has always had to deal with security issues, patches, and fixes. That's nothing new. For the most part, they were fairly well contained within the VMware community. While VMware did its best to alert users and provide a fix or workaround in a fairy reasonable time frame, the security issues never seemed to make headlines outside of virtualization circles.

Even though the hypervisor is becoming more of a commodity play with increased competition coming from Microsoft, Citrix, Red Hat, and Oracle, it seems as though VMware has seen a spike in the number of threats made against its virtualization products. Or perhaps these security threats are just being more commonly reported in today's mainstream media. Either way, security concerns are on the rise.

Things really changed last year when three separate incidents of VMware's confidential source code from the ESX hypervisor were leaked and posted online by hackers. This raised more than a few eyebrows, and the news went far and wide. In December 2012, VMware security problems extended themselves over to the company's desktop virtualization software, VMware View. It was found that an unauthenticated remote attacker could execute a directory traversal attack to retrieve random files from an affected View server, potentially exposing sensitive information on that server. Even more recently -- last month, in fact -- VMware warned of another vulnerability with its VMCI.SYS driver, which could result in a privilege escalation on Windows-based hosts and on Windows-based guest operating systems.

To be fair, VMware has often been quick to fix these security issues or come up with a workaround. But the company is now rethinking its process. The question posed to its user community was whether VMware should continue its "just in time" approach or if it should release a fixed schedule of security patches, à la Microsoft's Patch Tuesday.

1 2 Page
Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies