VMware just released a minor update for a number of products:
- Server 1.0.7 (build 108231) – Free Download
- Workstation 6.0.5 (build 109488) – Trial
- Player 2.0.5 (build 109488) – Free download
- ACE 2.0.5 (build 109488) – Trial
The reason behind this update is fixing four security vulnerabilities.
Three of them allow attackers to run arbitrary code with elevated privileges.
Update the products as soon as possible.
Update: It seems that also the new Server 1.0.7 build is still vulnerable to CVE-2008-3697.
This flaw in the VMware ISAPI extension for Microsoft IIS allows remote denial of service, so avoid to expose the Server web console outside the corporate LAN until a new fix is available.