14 DAY TRIAL // VMware released updates for its Workstation, Player, Fusion and Horizon View Client products in order to address a set of critical vulnerabilities that could be exploited to gain access to the host operating system.
The security advisory from the company lists a total of seven security issues affecting VMWare Workstation and Horizon View Client and one that puts Player and Fusion on the list of impacted products.
Critical vulnerabilities discovered
Successful exploitation of four of them can lead to a denial-of-service condition of the machine hosting the virtual environment. Leveraging the rest results in the possibility to execute arbitrary code on the underlying system.
Six of the problems touched on memory manipulation in VMware Workstation and Horizon Client, where TPView.dll and TPInt.dll components did not handle memory allocation correctly. Because of this, Workstation installations are susceptible to running arbitrary code on the host system and crashing it, via the guest Windows machine.
All the memory manipulation vulnerabilities were signaled by Kostya Kortchinsky of the Google Security Team.
Activity of both guest and host operating systems can be terminated
A second issue, credited to Peter Kamensky from Digital Security, was caused by the seventh vulnerability, which refers to improper input validation of an RPC (remote procedure call) command.
“This issue may allow for a Denial of Service of the Guest Operating System (32-bit) or a Denial of Service of the Host Operating System (64-bit),” the advisory from VMware says.
The updates released by the computer virtualization company are for VMware Workstation 11.1.1, 10.0.6, VMware Player 7.1.1, 6.0.6, VMware Fusion 7.0.1, 6.0.6, and VMware Horizon Clients 5.4.2, 3.4.0, and 3.2.1.
Due to the severity of the security flaws, users are highly recommended to install the new versions as soon as possible.