VMware has patched a vulnerability that exploits a codec flaw which could allow a remote attacker to run commands on the host system.
Discovered by iDefence, Sebastien Renaud of VUPEN Vulnerability Research Team and Alin Rad Pop of Secunia Research, the vulnerability in the video decoder allows the execution of harmful code if users visit a malicious website or run an infected video file.
Other vulnerabilities VMware patched last Friday affected VMware tools, vCenter Server and ESX.
The majority of the vulnerabilities on unpatched machines can be exploited by local users only, in some cases only signed on with guest accounts, to gain access to secure information and escalated system privileges. They can also be used to gain remote access to sensitive information or cause a denial-of-service (DoS) attack.
Jason Edelstein from Australian security company Sense of Security told ZDNet.com.au that the video codec exploit was the one users should be the most worried about.
"This one has deeper implications," said Edelstein, explaining that a remote attacker could craft an exploit that opens a shell on a port, gain access and run operating commands on a host system.
Private data could also be compromised without the user knowing that their system had been infected, said Edelstein.
"You could download something that seems benign. The movie may still work or the movie may crash. But what's going on behind the scenes is that someone could take control over your machine unknown to yourself and have access to your data," said Edelstein.
"VMware movies are so widespread these days it's quite possible that someone will make a malicious one to take over someone's host system remotely," he added.
The other vulnerabilities and recommendations can be found in VMware's security announcement.
The vulnerabilities affect VMware installs across specific versions of most operating systems including Windows, Mac OS X and Linux.
VMware recommends users view their security advisory and install fixed versions of Workstation, Player, ACE, Server and Fusion, and upgrade tools in the virtual machine. It also recommends users patch guest systems on ESX 2.5.5, 3.0.3, 3.5, 4.0; ESXi 3.5, 4.0; and manually upgrade tools in the virtual machine.