Core Security Technologies announced yesterday that VMware’s popular desktop virtualization software has a serious security flaw and released an exploit to test systems for vulnerability. Security experts working for CoreLabs, the research arm of Core Security, discovered that an attacker could gain complete access to a host system by exploiting the VMware flaw, allowing the attacker to create or modify executable files on the host operating system.

“What’s most relevant about this vulnerability is it demonstrates how virtual environments can provide an open door to the underlying infrastructures that host them,” said Iván Arce, CTO at Core Security Technologies, in a statement Monday.

“This vulnerability provides an important wake-up call to security-concerned IT practitioners. It is signals that virtualization is not immune to security flaws and that ‘real’ environments aren’t safe simply because they sit behind virtual environments,” Arce added.

Subsequently, VMware, Inc. has released its own statement which confirms the vulnerability. The company's announcement points out that Windows hosted versions of VMware Workstation 6.0.2 and earlier, VMware Workstation 5.5.4 and earlier, VMware Player 2.0.2 and earlier, VMware Player 1.0.4 and earlier, VMware ACE 2.0.2 and earlier and VMware ACE 1.0.2 and earlier are affected by the flaw.

Furthermore, the flaw is only exploitable if you have configured a VMware host-to-guest shared folder. VMware's shared folders are designed for users to transfer data between a virtualized system (Guest) and the non-virtualized Host system running the virtualized one. The bug enables users of a Guest system read and write access to any portion of the Host's file system including the system folder and other security-sensitive files, VMware said.

The company, founded in 1998, makes desktop software which runs atop Microsoft Windows, Linux, and Mac OS X. VMware also offers enterprise-level software, VMware ESX Server (not affected by this flaw), which runs directly on server hardware without requiring an additional underlying operating system.

VMware is working around the clock on a patch, but in the meanwhile it advises users of shared folders to disable them immediately. Here are their instructions:

To disable shared folders in the Global settings:

   1. From the VMware product's menu, choose Edit > Preferences.
   2. In the Workspace tab, under Virtual Machines, deselect the checkbox for Enable all shared folders by default.

To disable shared folders for the individual virtual machine settings:

   1. From the VMware product's menu, choose VM > Settings.
   2. In the Options tab, select Shared Folders and Disable.