At the end of April Iain Mulholland, director of the VMware Security Response Center, announced that some of VMware's confidential source code for the ESX hypervisor had been leaked and that a single file had been posted online. That same day, Kaspersky Lab's ThreatPost blog pointed to a hacker calling himself "Hardcore Charlie" as the person who leaked the VMware ESX hypervisor files.
At first the full extent of the situation was unclear. Could this leak affect virtual datacenters and cloud environments around the world, or would it end up being just a minor blip on the radar screen? The specifics of the leaked code are still in question, but the availability of ESX source code out in the wild could potentially give hackers a better chance to find undiscovered vulnerabilities in the company's hypervisor technology. The seriousness of this exposure depends on the level of code audit performed.
VMware's initial stance on the source code leak was pretty discouraging. In his initial blog post, Mulholland seemed to downplay the event. He stated that the leaked code dated back to the 2003-2004 timeframe, and since VMware had made many revisions to the code in the years that followed, it seemed like a good possibility the leaked code could have been deprecated along the way, reducing any negative security affects it might have. Mulholland also tried to calm fears by saying, "The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers."
Now almost two weeks after the initial announcement, we may not be the wiser as to the exact source code leaked, but we are witness to VMware living up to their promise of making sure its customers remain secure.
On Thursday VMware issued a new security update that further referenced the recent source code leak event. Along with that update came a host of new critical security patches for a number of affected VMware products. Those products include VMware ESX and ESXi hypervisor versions 3.5, 4.0, 4.1 and 5.0, as well as two of VMware's client products -- Workstation and Player.
...MORE
Read the entire InfoWorld Virtualization Report article.