Network Security, Patch/Configuration Management, Vulnerability Management

VMware patches critical flaws in Workstation, Fusion products

VMware on Sunday patched a critical out-of-bounds memory access vulnerability in the drag-and-drop function of its Workstation and Fusion virtualization software products. According to a VMware security advisory, the flaw – officially designated CVE-2016-7461 – could be exploited to allow users to execute code on the operating system running the programs.

Specifically, the affected products are Workstation Pro, Workstation Player, Fusion and Fusion Pro. Workstation is fixed with version 12.5.2, while Fusion is repaired with version 8.5.2. An alternative workaround is also available for all impacted products except Workstation Player: users can neutralize the flaw if they disable the drag-and-drop and copy-and-paste functions.

Fusion allows users to run virtualized versions of Windows and other operating systems on Macs. Workstation is virtual machine software that runs on x64 version of Windows and Linux.

VMware credited the vulnerability's original disclosure to Qinghao Tang and Xinlei Ying from the 360 Marvel Team and Iokihardt, all working with the organizers of PwnFest.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.