As I’m sure you noticed, we’ve delivered a flurry of patch-releases for Fusion and Workstation in the last few weeks. Want to know why? Because security matters.
The Pwn2Own competition at the CanSecWest conference put a huge bounty on ‘vmescape‘. They’re not the first to do this, and they won’t be the last. And I want to be clear up front, we’re delighted that they helped us make our products more robust, and more secure.
For those not following this closely, ‘vmescape’ is the challenge of executing code on a host machine, that originated on a virtual machine. In other words, you have to execute something on a virtual computer, that tricks the hypervisor, such as Fusion, Workstation, ESXi, etc, in to passing that code through to the host computer, effectively breaking out of the guest with the intent of controlling or damaging the host.
While the successful exploits themselves are interesting to note, the likelihood of this causing actual damage to you, in the real world is pretty small. Partly because of the nature and complexity of the technology involved, and partly because of the bevy of unknowables of a real production system. Mike Foley, one of our foremost security gurus, notes:
“VM Escape is not the threat your security guy thinks it is. It’s really, really hard to do.”
Hard to do, but still imperative that we fix. And so we have. With an abundance of gratitude to our incredibly talented security team, working directly with our multi-discipline engineering teams, we think we’ve been on top of things.
Platform security is critically important
Virtualization technology today is used more widely, and in more critical systems than ever. With VMware having such a prominent footprint both on the desktop and in the data center, we take our role and responsibility in this very seriously.
While many of our Fusion & Workstation customers are considered ‘consumers’, (i.e. they have a single copy installed on their own personal machine), the majority of our customers are business, both small and large. Security for the end-user is important, but when we’re talking about corporate systems and virtual desktops that connect to those systems, the need for an air-tight virtualization stack becomes an imperative.
To that end, we’ve delivered 3 critical patches for both Fusion and Workstation (both Pro and Player), each addressing different security issues documented in our Security Advisory announcements (which can be found here), all within the past 3 weeks.
We understand that this makes it tricky for you. Updating software is never fun – even if it’s fully automated – and we appreciate the anxiety we may have caused you, but I hope you agree, it was worth it
Collaboration is Key
We’re very proud of our engineering teams. Cross collaboration between them is critical when addressing complex issues, made more difficult by the need for rapid delivery. And of course while patching is critical, maintaining a high level of product quality is something we refuse to compromise on.
We work directly with security researchers who demonstrate some pretty slick exploits at several security shows, and we’re keen to see that trend continue. In this day-and-age, when breaches and data privacy issues are making mainstream headlines, we couldn’t do this without the collaboration we get from the community. We are immensely grateful to you.
Now, Secure yourself
It’s always important to stay up to date with security patches for all software you own/use/control. If your software hasn’t auto-updated already, get the latest patches [here]. And while we have your security attention, we recently came up with a nice little way to use Fusion and Workstation to help increase both your own security and privacy when dealing with online threats.
For this use case, we have a nice summary infographic and video, with more detailed writeups for safely surfing the Internet with Fusion and Workstation [linked respectively].