However, a in many versions of VMware's virtualization programs--including VMware Fusion--breaks down this protective barrier. Kostya Kortchinsky, an exploit researcher at , discovered the bug, and wrote an exploit to demonstrate the problems it can cause. Basically, the bug allows a guest operating system (that's the OS running inside the virtual machine) to execute code on the host operating system (the OS running the actual virtualization program). Kostya created a that shows just how this works. In the video, a Windows XP guest operating system launches the Calculator application in Vista, the host operating system.
"But that's Windows to Windows, and I use OS X, so I'm safe," you may be thinking. Unfortunately, that's not true. The same bug exists in VMware Fusion, so the only missing piece is a demonstration of an OS X host being controlled by a guest operating system. Although Kostya didn't create an exploit to demonstrate the OS X vulnerability, he may do so in the near future. (It should be noted that, as of this writing, there are no reports that this bug has been exploited in the wild.)
VMware quickly issued a once this bug was revealed. Even more importantly, the company also patched the affected applications, including VMware Fusion for the Mac. So if you're a Fusion user, you should immediately to protect yourself from possible attacks that take advantage of this bug. Any release newer than VMware Fusion 2.0.4 (build 159196), which was released on April 10, contains a fix for the bug.
A bug that allows a guest OS to execute on the host OS is not something to be ignored, and VMware reacted quickly to patch all of its products. If you're a VMware user on any platform, take a minute or two to ensure that you're running an updated version that's not susceptible to this potentially very damaging bug.