shed any light on the process going on inside the company’s security team since October. I also asked them whether it’s normal for the company to let five months or more go by before it issues a patch for a vulnerability of this magnitude.
Nand Mulchandani, the company’s senior director of products, sent the following response: “Security is something we take very seriously at VMware. The trust our customers place in VMware and our products is paramount. When a potential security issue is discovered, the VMware security team immediately begins an investigation. If a security threat is found, our engineers begin working on a patch. Concurrently, we create and educate our customers on best practices to workaround a particular issue until a patch is ready for public use. We issue patches on an as-needed basis and as quickly as possible.”
I also asked VMware whether the company has a new timeline for issuing a patch. “We do not have a set schedule for updates, like a ‘patch Tuesday,'” Mulchandani said. “However, we do try to aggregate patches for our customers in a single update. VMware has been actively working on a patch since being first notified of this particular issue in late last year. The patch will be issued once complete. At this time, we don’t have a specific date to announce.”
Mulchandani emphasizes that the Shared Folders feature is disabled by default in Workstation 6, Player 2, and ACE 2. So the folder-renaming exploit that Core Security discovered is only a danger if a customer has turned on the feature—and then only if they’ve configured specific folders for sharing. “If an end user turns on the shared folders feature, a security warning is presented,” Mulchandani adds.
But that warning is no substitute for a real patch, according to Arce, who says he is surprised at the amount of time it’s taking for VMware to issue a fix. “I don’t know the internals of the VMware engineering process, but from the outside, you’d say that this shouldn’t be that hard to fix, especially because there was a similar bug reported in the same products about a year ago,” he says.
At the same time, Arce acknowledges that very few software problems have an instant solution. “It’s normal than when you report a vulnerability to a vendor, there is an extended conversation that can go on for weeks or even months,” he says. “In this case VMware was not as responsive as they could have been, but they weren’t bad, either. We’ve been through much worse with other vendors.”
Arce says his suggestion for VMware would be to better integrate its security operation with the teams responsible for product updates. “I think there is a lot of room for improvement in terms of the processes and the relevance of their security group within the VMware organization,” he says. “They have a dedicated security group and they have all the right skills. I think they need to get all those ingredients together and make them work in a more efficient manner.”