It's patchin' time for devs using Virtzilla's desktop hypervisors
Get busy for the Critical one, nail the Important one while you are at it
Time to patch your desktop hypervisors, folks: VMware Workstation and Fusion have a pair of problems apiece.
The first landed last week in the form of a merely “important” patch for Workstation that fixed a problem whereby loading a .DLL could escalate privileges. Updating to version 12.5.3 sorted that one out.
But you may not need to worry with that update, because VMware has since issued a “critical” advisory, letting us know that “the drag-and-drop (DnD) function in VMware Workstation and Fusion has an out-of-bounds memory access vulnerability. This may allow a guest to execute code on the operating system that runs Workstation or Fusion.”
There's a mitigation and a fix for this one. The former requires you to merely disable drag-and-drop and cut-and-paste. But seeing as those are very useful ways to get stuff into and out of VMs, The Register's virtualization desk fancies a few of you would rather update to Workstation 12.5.4 and Fusion 8.5.5 and just sort the problem out properly.
VMware's also addressing the Apache Struts 2 bug, offering a workaround for it on vCenter Server. Horizon DaaS, vRealize Operations Manager and vRealize Hyperic server await their fixes/patches. ®