Host privilege escalation vuln bites VMware in the desktop
Upgrade Workstation, Player and Horizon View client at your leisure, or risk internal attacks
VMware's security SNAFU email list has delivered news of a new issue in VMware Workstation, Player and Horizon View Client.
The missive says “VMware Workstation, Player and Horizon View Client for Windows do not set a discretionary access control list (DACL) for one of their processes. This may allow a local attacker to elevate their privileges and execute code in the security context of the affected process.”
Allowing someone inside the firewall to do that doesn't sound like a good idea at all, so VMware has done the proper thing and coded fixes in the form of point upgrades to the affected products, namely Workstation 10.x and 11.x, Player 7.x and 6.x, plus Horizon View Client 5.x.
The advisory's name is VMSA-2015-0005, with the latter quad indicating it is the fifth time this year VMware's had to make something right in a hurry. That's not a terrible record for a company with a decent portfolio of products, although the fact that three of the five impact Workstation may raise eyebrows. The good news for users of VMware's desktop hypervisor for Windows is that it looks to have a substantial refresh on the horizon (pardon the pun), or at least enough of a refresh to justify a change in naming convention. ®