VMware released an update to VMware Workstation 8.0.3 Build 703057 yesterday (May 3, 2012). The update is a security update addresses two vulnerabilities that would allow out-of-bounds memory writes on floppy and SCSI devices under certain conditions. The vulnerabilities may allow specially crafted attacks to crash the VMX process (i.e. crash the running VM) or theoretically execute commands on the host. The VMware Workstation 8.0.3 release notes can be found here: https://www.vmware.com/support/ws80/doc/releasenotes_workstation_803.html.
VMware’s security advisories for these vulnerabilities can be found here: https://www.vmware.com/security/advisories/VMSA-2012-0009.html.
Users of VMware Workstation should be prompted to update to the latest version when launching the application:
If you are not automatically prompted to update VMware Workstation, manually check for updates from the Help menu:
You can also download the full install package of VMware Workstation from https://www.vmware.com/products/workstation.
While not specifically mentioned in the release notes, I wonder if this update was prompted by the VMware source code leak described in the VMware Security Blog: https://blogs.vmware.com/security/2012/05/vmware-security-note.html. If so, kudos to VMware’s security and engineering teams for quickly identifying, fixing, and releasing updates to correct flaws that may be exposed through this code leak.
