As of Sunday, there was no patch available for the flaw, which affects VMware's Windows client virtualization programs, including Workstation, Player and ACE. The company's virtual machine software for Windows servers, and for Mac- and Linux-based hosts, are not at risk.
The bug was reported by Core Security Technologies, makers of the penetration testing framework CORE IMPACT, said VMware in a security alert issued last Friday. "Exploitation of this vulnerability allows attackers to break out of an isolated Guest system to compromise the underlying Host system that controls it," claimed Core Security.According to VMware, the bug is in the shared folder feature of its Windows client-based virtualization software. Shared folders lets users access certain files -- typically documents and other application-generated files -- from the host OS and any virtual machine on that physical system