VMware addresses ESX source code leaks with accelerated security patches

Five vulnerabilities patched that could have allowed an attacker to execute code on the virtual host server

Page 2 of 2

While the security post directly referred to the code leak incident, it wasn't clear as to the exact relationship between the newly announced vulnerabilities and the leaked source code file. Instead, VMware decided to frame the security discussion in a different way, making it sound as though the updates were part of the company's regular patching program. VMware stated: "In light of the current circumstances, we have accelerated our most recent security patches and applied them to all affected currently supported products." The virtualization giant said these specific product releases may be exposed to increased risk, and they encourage all customers to view the security links to determine if appropriate patches are available for products in their environment.

As part of this security advisory, VMware also gave credit to Derek Soeder, a security researcher at Ridgeway Internet Security, for identifying some vulnerabilities. Soeder evidently reported two host memory overwrite vulnerabilities affecting ESX and ESXi to VMware back in December of 2011. He publicly raised security concerns in a blog post on March 30: "VMware High-Bandwidth Backdoor ROM Overwrite Privilege Elevation."

To date, VMware has been fortunate enough to remain below the radar from a security standpoint. The multi-billion-dollar cloud and virtualization software company hasn't had to deal with the amount of security attacks that have plagued Microsoft on the operating system side of the fence. But when VMware has been faced with security challenges, the company has done a good job of alerting customers and making patches and updates available to address the security issues.

Whether or not the hacker(s) involved with stealing the VMware source code actually make good on the threat to leak more information, at the end of the day, one thing is clear: When VMware releases patches and updates that are marked as "critical," don't blink. VMware customers shouldn't take any chances with their virtualized infrastructures. In a physical environment, hackers have to concentrate on hacking individual servers or individual applications. But when you use server virtualization, a hacker can sometimes get away with entry to a single point of access to get at everything.

For now, worry less about the "what ifs" of leaked source code and worry more about known vulnerabilities, making sure to keep current on your patching levels.

Are you patched and up-to-date? If not, what are you waiting for? How concerned are you about the source code leak? Do you think VMware has it under control?

This article, "VMware addresses ESX source code leaks with accelerated security patches," was originally published at InfoWorld.com. Follow the latest developments in virtualization and cloud computing at InfoWorld.com.

| 1 2 Page 2