VMware released an update to VMware Workstation 8.0.3 Build 703057 yesterday (May 3, 2012). The update is a security update addresses two vulnerabilities that would allow out-of-bounds memory writes on floppy and SCSI devices under certain conditions. The vulnerabilities may allow specially crafted attacks to crash the VMX process (i.e. crash the running VM) or theoretically execute commands on the host. The VMware Workstation 8.0.3 release notes can be found here: https://www.vmware.com/support/ws80/doc/releasenotes_workstation_803.html.
VMware’s security advisories for these vulnerabilities can be found here: http://www.vmware.com/security/advisories/VMSA-2012-0009.html.
Users of VMware Workstation should be prompted to update to the latest version when launching the application:
If you are not automatically prompted to update VMware Workstation, manually check for updates from the Help menu:
You can also download the full install package of VMware Workstation from http://www.vmware.com/products/workstation.
While not specifically mentioned in the release notes, I wonder if this update was prompted by the VMware source code leak described in the VMware Security Blog: http://blogs.vmware.com/security/2012/05/vmware-security-note.html. If so, kudos to VMware’s security and engineering teams for quickly identifying, fixing, and releasing updates to correct flaws that may be exposed through this code leak.
{ 2 comments… read them below or add one }
I tried updating today, but the update freezes on the pending update stage. i tried it twice and got the same result.
Alan – shut down any running VM’s and check to see if there is a notification window from the updater hidden behind another window.