the vulnerability is not a sign of any intrinsic flaw in the isolation that VMware’s software imposes between host and guest systems.
“We have a lot of users who use virtual machines and workstations specifically because of the strong isolation that virtualization provides,” Chen says. “Most of them are not affected, because they do not use this Shared Folders feature. And when you do use this feature—which is off by default—we specifically give you a warning saying that you are exposing yourself to security risks; that once you open up this path between the two operating systems, you are exposing both operating systems to vulnerabilities, and all bets are off.”
Well, not all bets, since VMware clearly doesn’t regard turning on the Shared Folders feature as tantamount to inviting hackers into the system; its developers have taken and are taking steps to head off pathname modification exploits like the one that IDefense Labs and Core Security discovered. Chen’s key point is that users should leave the Shared Folders feature off if they want the full isolation between the host and guest systems that VMware promises. “Intrinsically, the virtual machine is fully isolated, unless you as a user have to constantly break that isolation,” Chen says. “Customers who want pure isolation wouldn’t use this feature, and the fact that we disable it by default means you’re not exposed to it.”
(In the most recent major release of VMware Workstation, the 6.0 release, Shared Folders is indeed turned off by default. But Arce points out that in previous versions, Shared Folders was turned on by default. I wasn’t able to determine whether Shared Folders is on or off in current and older versions of ACE and Player.)
Chen points out that while customers are waiting for a patch, there’s an easy workaround to prevent anyone from exploiting the newly discovered pathname screening vulnerability: turn off Shared Folders. “You can still share files via Windows networking or e-mailing files to yourself, or however you would normally share files between two physical PCs,” Chen says. “So we don’t think that the end user value is impaired by this vulnerability. But we still do plan to offer a patch for the vulnerability in the near future.” The patch could go out as part of an automatic update for the three programs as soon as two weeks from now, says Chen.
In promising a patch, VMware is acknowledging that it has a responsibility to minimize the security risk posed by the Shared Folders feature. But even with the patch—to return to Chen’s point—the company won’t be promising perfect security, since file sharing is probably always fundamentally dangerous. And that’s not so different, in the end, from Arce’s larger message: with or without perfect isolation, virtualization is no security panacea.
“There are many good reasons for adopting virtualization technologies at different places in an organization,” Arce says. “But if one of those reasons is to improve the security posture of the organization, then that should be considered carefully. It’s not going to happen just because you virtualize your organization’s IT. You have to learn about the all the risks—what it is exactly that you are deploying and how secure it is.”
*Correction, 2/27/08, 10:24: Core Security contacted us this morning to say that it reported the vulnerability to VMware on October 16, 2007—not last week, as the story previously stated. I regret the error. -WR