VMware has patched a vulnerability that exploits a codec flaw which could allow a remote attacker to run commands on the host system.
Discovered by iDefence, Sebastien Renaud of VUPEN Vulnerability Research Team and Alin Rad Pop of Secunia Research, the vulnerability in the video decoder allows the execution of harmful code if users visit a malicious website or run an infected video file.
The majority of the vulnerabilities on unpatched machines can be exploited by local users only, in some cases only signed on with guest accounts, to gain access to secure information and escalated system privileges. They can also be used to gain remote access to sensitive information or cause a denial-of-service (DoS) attack.
For more on this story, see VMware patches codec flaw on ZDNet Australia.