Another big source code leak, this time VMWare ESX, software which I’m sure most of the readers here have used at some point (I know I have).
There was a time back in 2006 when VMWare Rootkits seemed like they might be the next big thing, but nothing much ever came out of it.
VMware is playing it down, but I think this is a fairly serious leak – we all know what happens when the bad guys get access to source code – they find lovely new 0day bugs to play with.
VMware has confirmed that the source code for old versions of its ESX technology was leaked by hackers over the weekend – but played down the significance of the spill.
The virtualisation giant said on Sunday that the exposed portions of its hypervisor date back to 2004, and the leak follows the disclosure of VMware source code in April.
“It is possible that more related files will be posted in the future,” Iain Mulholland, VMware’s director of platform security, explained. “We take customer security seriously and have engaged our VMware Security Response Center to thoroughly investigate.”
Mulholland said customers who apply the latest product updates and patches, in addition to following system hardening guidelines, ought to be protected against attacks developed in the wake of the code leak.
“By applying the combination of the most current product updates and the relevant security patches, we believe our customer environments will be best protected,” he said.
A 2MB compressed archive of the software blueprints was uploaded into file-sharing networks and promoted by various tweeters on Sunday. Some of these tweets, posted with the hashtags #Anonymous #AntiSec and #SourcySleazySundays, claimed that the leaked code was the “full VMware ESX Server Kernel”.
Some of the people posting the code were hash-tagging with Anonymous – but there’s been no ‘official’ announcement from any of the Anonymous channels so I doubt it’s really related.
As usual VMWare are saying if you’re using the latest patched version and have applied the ‘hardening measures’ you will be safe. I’d except something nasty to come out of this within the next month or so.
A person going by the name of Stun, who made the source code available, wrote: “It is the VMKernel from between 1998 and 2004, but as we all know, kernels don’t change that much in programs, they get extended or adapted but some core functionality still stays the same.”
The previous VMWare source code leak was accompanied by the publication of the company’s internal emails via Pastebin by someone called Hardcore Charlie. The Anonymous-affiliated hacker claimed the information came from China National Electronics Import and Export (CEIEC), an engineering and electronics company outfit.
VMware said at the time that customers were not necessarily at greater risk as as result of the leak.
Hacktivists, to say nothing of state-sponsored cyber-espionage, have increased the threat of intellectual property theft for high-tech firms. The VMWare case is not unprecedented.
Earlier this year Symantec admitted source code for the 2006-era versions of the following products had been exposed: Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton Utilities and Norton GoBack); and pcAnywhere. The security biz took the highly unusual step of advising customers of pcAnywhere to suspend use of the older versions of remote control desktop management software pending the release of a patch, which arrived within days of the warning.
An Indian hacktivist crew called the Lords of Dharmaraja claimed they lifted Symantec’s source code from systems belonging to the Indian government.
One upside is it’s only the kernel, and it is 8 years old (the kernel is from 1998-2004) – but then again the kernel does provide key functionality and kernels don’t change that much. There have been some major leaks of source code in the last couple of years including Symantec and Kaspersky.
Intellectual Property theft from large corporations is becoming a big thing and a very tasty target for hacktivists as source code and development systems don’t tend to be as highly secure as those containing say financial records or purchase transactions.
Source: The Register