said by Mele20 :

I have a brand spankin new version of VMWare Workstation 5.5.6 (92MB download) that fixed six security issues including the Core one. It was available on March 17 for VMWare Workstation5.5 and 6.0 and other VMWare products. I didn't get the update notice then because I had a virtual machine running. I shut it down day before yesterday and just now went to start it again and was notified of the available new version.

So, VMware did stick by what they had promised which was new versions by end of the first quarter of 2008. And we got fixes for 5 OTHER security issues in addition to the Core one (for Workstation 5.5). :)

»www.vmware.com/security/advisori···005.html

said by diver196 :

According to the Vmware kb article, the latest version of Workstation 5 (5.5.5) is not affected.

said by Its a Secret :

Dictionary: melee (mā) also mêlée (mĕ-lā')n.

•Confused, hand-to-hand fighting in a pitched battle.
•A violent free-for-all. See synonyms at brawl.
• A confused tumultuous mingling, as of a crowd: the rush-hour melee.

said by Mele20 :

This is all about deliberately trying to damage VMWare and get publicity. The same thing happens to Microsoft.

said by seclists - with my notes and bolding :

*Report Timeline*

. *2007-10-16*: Initial contact email sent to the VMware Security Team notifying discovery of a Priority 1 vulnerability in accordance to the vendor's security policy [9]. A draft security advisory describing the problem is available. Public disclosure of the vulnerability is scheduled on November 5th, 2007. (MY NOTE - Core cooperated by moving back this date on the expectation that the vendor would keep their word.)

. *2007-10-17*: Vendor acknowledges notification, provides public key and requests a draft of the security advisory .

. *2007-10-17*: Core sends the draft advisory.

. *2007-10-19*: Vendor indicates it will be able to address the issue in a release planned for December.

. *2007-10-29*: Core requests an status update since there has been nocommunication since October, 17th, 2007. Vendor indicates it will be able to address the issue in a release planned for December, this information
was already provided to Core on October 19th 2007 on a personal email exchange. The December release is likely to be move to the first week of January 2008. (MY NOTE - December release missed).

. *2007-10-29*: Core confirms that the December target was communicated on October 19th, 2007.

. *2007-11-26*: Core requests an status update, asking if the vendor is still on track to release fixes in December 2007 and on which specific date.

. *2007-11-26*: Vendor communicates that normally the release would be on December 27th, 2007 but since that date is in the middle of most people's holiday the release will be postponed to January. A specific date has not been set. (MY NOTE - Now it's beacuse of the holidays - hackers don't take holidays.)

. *2008-01-07*: Core requests and status update since there has been no communication since November 26th, 2007. Core asks if the vendor is ontrack to release fixes on the second week of January 2008. VMware had
released of a new version of its VI product line in December but had not indicate if this release included fixed versions of the vulnerable VMwareproducts. Publication of CORE-2007-0930 has been re-scheduled for January
14th, 2007.(MY NOTE - CORE again moves back the date despite the fact that a new Version was released in December with no indication that the problem was addressed - and no communication was received from the vendor)

. *2008-01-08*: Vendor communicates that none of the updates released in December 2007 addressed the vulnerability reported by Core and provided an official list of supported product that are vulnerable and their respective versions. Vendor cannot commit to a specific date for the release of fixes but can commit to release a fix within the first quarter of the year(Q1/2008) (MY NOTE - more delays, promises). The upcoming release of minor version updates of vulnerable product is scheduled for February 14th.

. *2008-01-08*: Email reply from Core indicating that publication of CORE-2007-0930 has been re-scheduled to February 14th., 2008. Nonetheless, the lack of vendor commitment to a specific date for the release of fixes
does not make the ballpark commitment of Q1/2008 any more credible than the previous estimations.

. *2008-02-06*: Core requests a status update since there has been no communication since January 8th, 2008. Core requests confirmation that VMware Server is not affected and asks if the vendor is on track to release fixes on February 14th. 2008 or on any other specific date within the first quarter of the year. In case that February 14th. 2008 was deemed not longer viable, Core will need notification by COB Monday January 11th, 2008.

. *2008-02-08*: Vendor response indicating that the release of new minor version updates to a subset of vulnerable supported products have been delayed and is now scheduled for February 24th., 2008. Minor version updates to another subset of the vulnerable products is planned for March 15th, 2008. VMware Server is confirmed not-vulnerable since it does not provide Shared Folders functionality (HGFS).

. *2008-02-08*: Core indicates that in view of the status update received from the vendor, publication of CORE-2007-0930 has been re-scheduled for Feb. 25th. 2008, this new date is still subject to change if and only if;
i) Vendor confirms by Feb 13th. that the upcoming product releases planned for Feb. 25th. will indeed fix the bug.
ii) Vendor commits by Feb. 13th. to a fix release date for the remaining set of affected products.
iii) Vendor communicates any change to the Feb. 25th. release date by COB Feb 20th. and the new release date does not exceed 6 working days from the currently scheduled date.(My note - another disclosure rollback to accommodate the vendor)

. *2008-02-22*: Final draft of CORE-2007-0930 sent to VMware's Product Security Group. Any additional information to be included in the advisory should be received by COB Friday February 22nd.

. *2008-02-25*: CORE-2007-0930 published.

said by Mele20 :

Core Security wants to stick to VMWare and so they behaved very irresponsibly and have now made people like me vulnerable...

said by La Luna :

So what about other users (besides you) who may have enabled file sharing? They shouldn't know about this vulnerability so they can UNenable as a work around if they choose to, just like you did because you happened to read this thread?

said by Mele20 :

....I repeat that File sharing is NOT enabled by default on VMWAre Workstation 6 or Player2. So you are wrong. There is NO vulnerability in Workstation 6 or Player 2 unless the user deliberately makes him/herself vulnerable by enabling file sharing and setting up at least one folder to be shared....

This is all about deliberately trying to damage VMWare and get publicity. The same thing happens to Microsoft.

said by Grail Knight :

quote:

---

I mention this because I really don't appreciate some security group looking for publicity making this public before VMWare had a patch.

---

Maybe you should read the Additional Information at the bottom of this page before you criticize Core Security.

»www.coresecurity.com/?action=item&id=2129:

The dates are what you want to pay attention to.

said by Grail Knight :

said by Mele20 :

---

I mention this because I really don't appreciate some security group looking for publicity making this public before VMWare had a patch.

---

Maybe you should read the Additional Information at the bottom of this page before you criticize Core Security.

»www.coresecurity.com/?action=item&id=2129:

The dates are what you want to pay attention to.

That article is wrong because VMWareStation 6 does NOT HAVE SHARED FILES ENABLED BY DEFAULT. That article should have quoted the vendor correctly.

said by IW article :

The Palo Alto, Calif.-based company also made it clear that the vulnerability isn't present in its server line of virtual machine software; VMware Server and ESX Server do not use shared folders. Newer versions of VMware's Windows client virtualization tools also disable shared folders by default, the company added. Users must manually turn on the feature to be vulnerable.

said by EGeezer :

Well, I guess that takes care of the "I'm running in a virtual machine, so my system is unhackable" issue. It's no longer the silver bullet it was touted to be by some folks.