VMware Workstation, VMware Player and VMware Horizon View Client for Windows have received updates that address a host privilege escalation vulnerability – CVE-2015-3650.
According to a Thursday advisory, VMware Workstation should be updated to 11.1.1 or 10.0.7, VMware Player should be updated to 7.1.1 or 6.0.7, and VMware Horizon Client for Windows with Local Mode Option should be updated to 5.4.2. All updates are for products running on Windows.
“VMware Workstation, Player and Horizon View Client for Windows do not set a discretionary access control list (DACL) for one of their processes,” the advisory said. “This may allow a local attacker to elevate their privileges and execute code in the security context of the affected process.”
VMware credits Kyriakos Economou, a vulnerability researcher with security firm Nettitude, with identifying the issue.