You may have noticed that in the past couple weeks we’ve delivered a flurry of patch-releasesfor ourPersonal Desktop products.
With competitions such as Pwn2Own at the CanSecWest conference putting huge bounty’s on‘vmescape‘, (which is to run code on the Host of a machine with a Hypervisor on it, likeFusion, Workstation, ESXi, etc, by executing code from within a virtual machine… to ‘break out’ of the VM, if you will), there’s been a lot of visibility regarding hypervisor security. We’re very happy that security teams around the world are doing their diligence to ‘jump throughRing-0‘ and doing the ‘white hat’ thing by disclosing that in a responsible manner.
While the exploits themselves are interesting to note, the likelihood of this causing actual damage in the real world is pretty small due to the nature and complexity of the technology involved, and certainly with respect to the effort and number of hoops to jump through to make this possible in a Proof Of Concept environment, let alone a ‘real world’ system with a bevy of unknowables. Mike Foley, one of our foremost security gurus, notes:
“VM Escape is not the threat your security guy thinks it is. It’s really, really hard to do.”
Hard to do, but it’s still up to us to fix it. With an abundance ofgratitudeto our incredibly talented security teamworking directly with our product engineering teams across several disciplines, we think we’ve been pretty on top of things.
Platform security iscritically important
Virtualization technology today is used more widely and for systems morecritical than ever, and with VMware having such a prominent footprint both on the desktop and in the data center, our role and responsibility in this space is not underestimated or overlooked.
While many of our customers are considered ‘consumers’, i.e. they have a single copy of Fusion or Workstation installed on their own personal machine and use it as a learning or productivity tool, the majority of our customers are business, both small and large. Security for the end-user is important, but when we’re talking about corporate systems and virtual desktops that connect to those systems, the need for an air-tight virtualization stack becomes an imperative.
To that end,we’ve delivered a succession of3 critical patches for bothFusion and Workstation (both Pro and Player), eachaddressing different security issues documented in ourSecurity Advisory announcements (which can be found here), all within the past 3 weeks.
Collaboration is Key
We’re very proud of our engineering teams, and the cross collaboration between them is critical whenaddressing issues like these with the utmost concernand rapid delivery. And of course while shipping a patch is critical, maintaining the high level of product quality that all of our customers have come to rely onis something we refuse to compromise on.
We work directly with security researchers who demonstrate some pretty slick exploits at several security shows, and we’re keento see that trend continue. In this day in age when breaches and data privacy issues are making mainstream headlines, we couldn’tdo this without the collaboration we get when working with the community and for that we are immensely grateful.
Now, Secure yourself
It’s always important to stay up to date with security patches for all software you own/use/control, but as an end user or as a business productivity user,running a virtualized operating system withFusion orWorkstation can increase both your own security and privacy when dealing with online threats.
For this use case, we have a nice summary infographic and video, with more detailed writeups for safely surfing the Internet withFusion and Workstation[linked respectively].
The post Hypervisor Security Matters appeared first on VMware Workstation Zealot.