One of the benefits of using a virtualization program such as VMware Fusion or Parallels Desktop to run Windows on your Mac is that anything bad that happened to Windows would only happen to Windows. So even if your Windows virtual machine wound up infected by a destructive piece of malware, you didn’t need to worry about that malware damaging your OS X files. (There’s a possible exception: shared folders that were writable inside the Windows virtual machine. But that’s another story.)
However, a recently-discovered bug in many versions of VMware’s virtualization programs—including VMware Fusion—breaks down this protective barrier. Kostya Kortchinsky, an exploit researcher at Immunity, discovered the bug, and wrote an exploit to demonstrate the problems it can cause. Basically, the bug allows a guest operating system (that’s the OS running inside the virtual machine) to execute code on the host operating system (the OS running the actual virtualization program). Kostya created a short video that shows just how this works. In the video, a Windows XP guest operating system launches the Calculator application in Vista, the host operating system.
“But that’s Windows to Windows, and I use OS X, so I’m safe,” you may be thinking. Unfortunately, that’s not true. The same bug exists in VMware Fusion, so the only missing piece is a demonstration of an OS X host being controlled by a guest operating system. Although Kostya didn’t create an exploit to demonstrate the OS X vulnerability, he may do so in the near future. (It should be noted that, as of this writing, there are no reports that this bug has been exploited in the wild.)
VMware quickly issued a security advisory once this bug was revealed. Even more importantly, the company also patched the affected applications, including VMware Fusion for the Mac. So if you’re a Fusion user, you should immediately download the latest version to protect yourself from possible attacks that take advantage of this bug. VMware Fusion version 2.0.4 (build 159196), which was released on April 10, contains a fix for the bug, as will any future releases.
A bug that allows a guest OS to execute on the host OS is not something to be ignored, and VMware reacted quickly to patch all of its products. If you’re a VMware user on any platform, take a minute or two to ensure that you’re running an updated version that’s not susceptible to this potentially very damaging bug.
Updated at 5:06pm on April 15th to clarify the VMware Fusion version and build number.