As I’m sure you noticed, we’ve delivered a flurry of patch-releases for Fusion and Workstation in the last few weeks. Want to know why? Because security matters.
The Pwn2Own competition at the CanSecWest conference put a huge bounty on ‘vmescape‘. They’re not the first to do this, and they won’t be the last. And I want to be clear up front, we’re delighted that they helped us make our products more robust, and more secure.
For those not following this closely, ‘vmescape’ is the challenge of executing code on a host machine, that originated on a virtual machine. In other words, you have to execute something on a virtual computer, that tricks the hypervisor, such as Fusion, Workstation, ESXi, etc, in to passing that code through to the host computer, effectively breaking out of the guest with the intent of controlling or damaging the host.
While the successful exploits themselves are interesting to note, the likelihood of this causing actual damage to you, in the real world is pretty small. Partly because of the nature and complexity of the technology involved, and partly because of the bevy of unknowables of a real production system. Mike Foley, one of our foremost security gurus, notes:
“VM Escape is not the threat your security guy thinks it is. It’s really, really hard to do.”
Hard to do, but still imperative that we fix. And so we have. With an abundance of gratitude to our incredibly talented security team, working directly with our multi-discipline engineering teams, we think we’ve been on top of things.
Platform security is critically important
Virtualization technology today is used more widely, and in more critical systems than ever. With VMware having such a prominent footprint both on the desktop and in the data center, we take our role and responsibility in this very seriously.
While many of our Fusion & Workstation customers are considered ‘consumers’, (i.e. they have a single copy installed on their own personal machine), the majority of our customers are business, both small and large. Security for the end-user is important, but when we’re talking about corporate systems and virtual desktops that connect to those systems, the need for an air-tight virtualization stack becomes an imperative.
To that end, we’ve delivered 3 critical patches for both Fusion and Workstation (both Pro and Player), each addressing different security issues documented in our Security Advisory announcements (which can be found here), all within the past 3 weeks.
We understand that this makes it tricky for you. Updating software is never fun – even if it’s fully automated – and we appreciate the anxiety we may have caused you, but I hope you agree, it was worth it
Collaboration is Key
We’re very proud of our engineering teams. Cross collaboration between them is critical when addressing complex issues, made more difficult by the need for rapid delivery. And of course while patching is critical, maintaining a high level of product quality is something we refuse to compromise on.
We work directly with security researchers who demonstrate some pretty slick exploits at several security shows, and we’re keen to see that trend continue. In this day-and-age, when breaches and data privacy issues are making mainstream headlines, we couldn’t do this without the collaboration we get from the community. We are immensely grateful to you.
Now, Secure yourself
It’s always important to stay up to date with security patches for all software you own/use/control. If your software hasn’t auto-updated already, get the latest patches [here]. And while we have your security attention, we recently came up with a nice little way to use Fusion and Workstation to help increase both your own security and privacy when dealing with online threats.
For this use case, we have a nice summary infographic and video, with more detailed writeups for safely surfing the Internet with Fusion and Workstation [linked respectively].
Here on the Personal Desktop team (which is the product group containing our Fusion and Workstation products), we love our users. We bend over backwards to make sure the products are secure, and work in a way that our users expect with regular new features and the stability we’ve all come to depend on.
In this vein, the VMware User Group, or VMUG, members are our most passionate and advanced users. These are the kind of users who rely on Fusion or Workstation to test applications and operating systems locally before pushing to their bigger vSphere platform. They know virtualization inside and out, are our earliest adopters, and dedicate time to testing the latest and greatest from any vendor that wishes to have a footprint in their data center.
The VMUG Advantage program includes the ‘VMUG EvalExperience’ subscription which provides exclusive access to 1-year evaluation licenses of VMware’s flagship products and solutions, for use as a learning tool in your home lab. In addition, you get:
20% Discount on VMware Training Classes
20% Discount on VMware Certification Exams
$500 IBM SoftLayer Cloud Credit
35% Discount on VMware Lab Connect
$100 Discount on VMworld Attendance
The full list of products in the EVALExperience program includes:
VMware Workstation Pro 12.5
VMware Fusion Pro 8.5
VMware vCenter Server Standard for vSphere 6
VMware vSphere with Operations Management Enterprise Plus
VMware vCloud Suite Standard
VMware vRealize Operations
VMware vRealize Log Insight
VMware vRealize Operations for Horizon
VMware Horizon Advanced Edition
If you’re an admin who works with VMware’s products, there’s never been a better time or reason to join the VMUG Advantage program!
The Internet was great, but in addition to being a place to share ideas it needed to be a place for consumer commercial activity in order to gain the resources (i.e. corporate sponsorship and investment) needed to grow.
With bring the most connected generation in the history of the world, we are also now gathering more information than ever.
Things start to go Wrong
We now live in a world where a simple transparent 1×1 pixel .gif can be used to follow and track our online behaviour an endless number of sites across all of your devices. Social media hooks are built into every page for shareability, allowing groups like Facebook, Twitter and Google to learn more about what you click than ever before.
On the darker side of that equation, you have lots of potential for misuse and abuse of this new distributed digital landscape. Ad networks can unknowingly distribute malware, pages can ‘click-bait’ you into accidentally opening a barrage of popups or worse, and mobile devices have not had the same maturity as desktop devices so their ability to block unknown threats is minimal at best.
A Potential Solution
So, what does this have to do with VMware or VMware Workstation?
Workstation can be used to isolate all of this behaviour away from the computer that you are using, keeping you safe and protected.
Because of the isolation provided by the VMware hypervisor technology, using a virtual machine in Workstation effectively creates a sandbox for a second (or third, or fourth…) Operating System on the same computer you’re running.
It runs it the new OS in an isolated way with respect to Memory, CPU, and physical hardware devices. To be cliche about it: “What happens in the VM stays in the VM.”
So when something attacks a browser that’s running in a Virtual Machine sandbox, it has no way of impacting the main computer where you might have more sensitive information stored, like credit card or account numbers or access to otherwise protected networks that are available to the host computer.
And because it’s a virtual machine, you can do other interesting things as well, such as having a ‘snapshot’ for a roll back point, put it on a different network than the physical computer itself, or even bring that same VM to different computers to avoid having to use someone else’s browser.
Kid Friendly Internet-ing
It also makes sense if you have kids. I helped my sister out by having my nephew use a virtual machine. He double-clicks the ‘Kids Internet’ button on the desktop, it fires up a Linux virtual machine, and everything that he and his little brother click on can be easily undone by rolling back to a snapshot taken earlier.
It’s an interesting use case, and makes a lot of sense, especially for the privacy-conscious. There are OS’s out there designed specifically for anonymity such as Tails, Discreete Linux, Whonix, or Qubes OS.
We really think that our users would get a lot of benefit from this sort of a setup, so we put together a short Infographic and Video to share the story.
Yes, I know that’s a cheesy title, but in the office where we control Workstation and Fusion every day starts with a conversation about you. We talk about things that are trending on Twitter & Facebook, what’s happening on our community forums, and what people are asking us in our inboxes.
Some days it’s all good news, others it bad. Often it’s a mixture, but every day we’re grateful that you’re engaged with us, so that together we can build a better product.
Back in the summer we ran a competition to see what you’d say about us on YouTube. The results surprised us. I can honestly say that we were not expecting the volume of entries that our little give-away generated.
We are truly thankful that you are our customer.
Please stay engaged. Negative or positive, we want to hear your thoughts on the current product, and where you think it should go next.
In the meanwhile, in no order, here’s my favorite top 10 videos from the competition
VMware Workstation is among the targets of the PwnFest hacking competition. At this event, which is organized along the Power of Community security conference in Seoul, security researchers are demonstrating their attack capabilities. The event is modeled after the well-known Pwn2Own competition.
Earlier today at the event, the 360 Marvel Team and security researcher Lokihardt (JungHoon Lee) used the same issue to demonstrate that they could execute code on the VMware Workstation host from the guest. We have received details on this issue directly from the researchers and we are now working on a solution. We have confirmed that the issue is limited to VMware Workstation and VMware Fusion and that ESXi is not affected.
We would like to thank the organizers of the event, the 360 Marvel Team, and Lokihardt for working with us to address the issue.
November 13 update
Today, we’ve published VMware Security Advisory VMSA-2016-0019 which documents the release of VMware Workstation 12.5.2 and VMware Fusion 8.5.2. These new Workstation and Fusion versions address the issue that was demonstrated at the PwnFest event. The issue has been assigned CVE identifier CVE-2016-7461.
– VMware Security Response Center and VMware Workstation Team
Did you know that VMware Workstation Pro makes it easy to manage a fleet of “Bring Your Own Device” users?
By managing local desktop virtualization endpoints and users with VMware Horizon FLEX, businesses have more control than ever before. Use Workstation Pro to create your ‘Gold Master’ templates and then share those with end users to run using Workstation Player. The templates can be restricted and even encrypted, and managed from the central Horizon FLEX console.
Even when used un-namaged, Workstation Pro and Workstation Player allows BYOD PC’s to live in the enterprise like never before. Users can run the corporate desktop, complete with custom windows-only applications developed in-house, right from their personal Windows or Linux PC.
The Workstation team is proud to announce general availability of VMware Workstation 12.5 Pro and VMware Workstation 12.5 Player! These updates are free for all VMware Workstation 12 Pro and Workstation 12 Player users.
The guest OS uses the full amount of memory allocated to the virtual machine even if you try to limit the amount of memory used by the guest OS through the BCDEdit ‘truncatememory’ option. This issue is resolved.