Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

VMware's Lost Source Code: Not A Panic Situation: Page 2 of 2

An attack vector through an application has a multitude of dependencies to be successful. I am not saying it's impossible, but if there are vulnerabilities that big in your outward-facing servers, you were in trouble regardless. Go fix those problems first.

Are your VMware admins irresponsible miscreants who can't be trusted to run your operations?

If the answer is yes, whoever hired them should be fired, along with the miscreants, now. Right now. Run, don't walk, to HR and can 'em. If you can't trust your employees to act responsibly, then you have bigger problems than some leaked software and any potential vulnerability that may arise from it.

There should be only a handful of ways that an attacker can even get access to your hypervisors, including physical access. Your IT department should be aware that laptops, USB keys and other devices brought into the data center (or anywhere) could carry malware on them.

Are your VMware hosts running versions dating back to the 2003 to 2005 time frame?
If the answer is yes, then go find a crowbar, pry open your wallet, and cough up the dollars for new software. Or go install a free alternative like VMware ESXi, VirtualBox or Xen. Running 8-year-old software is just not a good idea for anyone, anywhere, anytime.

I don't want to downplay the significance of leaked software and the potential advantage that it gives a savvy attacker, but access to the source code doesn't mean it's game over, either. Think of the context within which your VMware hypervisors run. A well-run data center should be resilient to attack regardless of what the attacker knows. You have plenty of security tools and processes that can address nearly every situation and lessen the likelihood of a successful attack.

P.S.: I don't think cloud/hosting providers that rely on VMware's software are at great risk, either. Hopefully, they have robust security programs in place to protect against attackers that are both external as well as paying customers.