A security researcher has found a nasty bug in VMware's virtualization software. The vulnerability, rated as “critical,” can be used in VMware Fusions's virtual machine display function to read and write memory on the "host" operating system – the OS running the physical hardware.
VMware Fusion allows Intel Macs to run x86 operating systems, like Windows, Linux, NetWare and Solaris, in a virtual machine, at the same time as Mac OS X. VMware Fusion runs Windows inside a secure and isolated virtual machine. VMware ships with a 12-month complimentary subscription to the McAfee VirusScan Plus 2009 antivirus. The software is comparable with Parallels Desktop, another virtualization solution from the folks at Parallels. VMware advertises Fusion as highly secure and reliable.
Kostya Kortchinsky, exploit researcher at Immunity Inc., said the bug could be used to run malicious code on a Mac by exploiting Windows in a virtual machine. Kortchinsky made an exploit for Immunity's customers and posted a demonstration video showing an attack on a machine running Windows Vista Service Pack 1 as the host operating system, and Windows XP as the "guest" – the OS running in a virtual machine. According to the researcher, the same tactics can be employed against Fusion on a Mac.
"This is indeed a guest-to-host exploit," Kortchinsky said in an e-mail, according to a Computerworld report. "It uses several vulnerabilities in the 'Display functions' (as VMware put it) that allow [someone] to read and write arbitrary memory in the host. Thus, the guest can run some code on the host, effectively bypassing ASLR and DEP on Vista SP1."
"The vulnerability is also present in VMware Fusion and, as such, would allow a guest (Windows or Linux) to run code on the Mac OS X host," he added. "We didn't implement this exploit though, but will probably in a near future."
Following Immunity Inc.'s security advisory, VMware has promptly issued a patch. The fix is now available in the latest update to VMware Fusion (version 2.0.4 build 159196). The update can be downloaded for free using the link below.