Monday, November 14, 2016

VMware Workstation/Fusion hacked at PwnFest


Last week (November 10th to 11th) we had PwnFest, a hacking competition that took place at South Korea at the 2016 Power of Community (POC) security conference.
This year VMware was one of the many targets with VMware Workstation and VMware Fusion.


It turns out that a vulnerability has been found and exploited.
The drag and drop (DnD) functionality on those product had an out of bound memory access (buffer overflow) vulnerability that allows a guest to execute code on the operating system that runs Workstation or Fusion.

Let me be crystal clear here: This vulnerability is JUST presented on VMware Workstation and Fusion only. Nothing related to ESXi or other products.

With that said, VMware worked diligently during the past few days and on November 13th  we released the fix.

Although it's not possible to exploit it remotely, they would need to have access to your computer in order to run it, I encourage all of you to install this fix.
The protected versions are:
 
If for any reason you could not install it, there’s a workaround to prevent the vulnerability to be exploited. Disable DnD !!!

-       On the VM Settings
-       Click on Isolation

-       - Uncheck, Enable Drag and Drop and Enable Copy and Past
 


See you next!!!

2 comments:

tanveer hashmi said...

Thanks for the always useful information. This is great information to help garage type SEO people like me.
aVMware Workstation Player 12.5.2 Crack

Eduardo Meirelles da Rocha said...

you are welcome Tanveer.

Post a Comment

Who am I

My photo
I’m an IT specialist with over 15 years of experience, working from IT infrastructure to management products, troubleshooting and project management skills from medium to large environments. Nowadays I'm working for VMware as a Consulting Architect, helping customers to embrace the Cloud Era and make them successfully on their journey. Despite the fact I'm a VMware employee these postings reflect my own opinion and do not represents VMware's position, strategies or opinions. Reach me at @dumeirell

Most Viewed Posts

Blog Archive