“On June 22nd, 1999, VMware, Inc. was notified of a security
problem with VMware for Linux 1.0.1. This security hole is also
present in all previous versions of VMware for Linux. The security
hole has been fixed in VMware for Linux 1.0.2 released today. The
security hole allows a buffer overrun attack against VMware for
Linux to result in unprivileged root access to a machine. An
updated version of VMware for Linux which fixes this problem is
available now, see below. As far as we know, this breach has never
been used for malicious purposes, or caused any harm to customer
installations. VMware, Inc. apologizes for the inconvenience to our
users.”
“The security hole allows an attack to occur during VMware
startup, but before a virtual machine is powered on. Guest
operating systems themselves are unlikely to be affected by these
buffer overflow attacks. Systems most vulnerable to this attack are
multi-user Linux systems that have VMware installed. A malicious
user with access to an account on the system could exploit the
hole. Stand alone single-user machines are not at high risk from
this security hole. This hole does not allow direct network based
‘worm’ style attacks against VMware.”
“The security hole can be closed by simply upgrading to VMware
for Linux version 1.0.2”