Workstation 6.0.5

Workstation 6.0.5 addresses the following security issues:
Setting ActiveX killbit
Starting from this release, VMware has set the killbit on its ActiveX controls. Setting the killbit ensures that ActiveX controls cannot run in Internet Explorer (IE), and avoids security issues involving ActiveX controls in IE. See the KB article 240797 from Microsoft and the related references on this topic.
Security vulnerabilities have been reported for ActiveX controls provided by VMware when run in IE. Under specific circumstances, exploitation of these ActiveX controls might result in denial-of-service or can allow running of arbitrary code when the user browses a malicious Web site or opens a malicious file in IE browser. An attempt to run unsafe ActiveX controls in IE might result in pop-up windows warning the user.
Note: IE can be configured to run unsafe ActiveX controls without prompting. VMware recommends that you retain the default settings in IE, which prompts when unsafe actions are requested.
Earlier, VMware had issued knowledge base articles, KB 5965318 and KB 9078920 on security issues with ActiveX controls.
To avoid malicious scripts that exploit ActiveX controls, do not enable unsafe ActiveX objects in your browser settings. As a best practice, do not browse untrusted Web sites as an administrator and do not click OK or Yes if prompted by IE to allow certain actions.
The Common Vulnerabilities and Exposures has assigned the names CVE-2008-3691, CVE-2008-3692, CVE-2008-3693, CVE-2008-3694, CVE-2008-3695, CVE-2007-5438, and CVE-2008-3696 to the security issues with VMware ActiveX controls.
Update to FreeType
FreeType 2.3.6 resolves an integer overflow vulnerability and other vulnerabilities that can allow malicious users to run arbitrary code or might cause a denial-of-service after reading a maliciously crafted file. This release updates FreeType to its latest version 2.3.7.
The Common Vulnerabilities and Exposures has assigned the names CVE-2008-1806, CVE-2008-1807, and CVE-2008-1808 to the issues resolved in FreeType 2.3.6.
Update to Cairo
Cairo 1.4.12 resolves an integer overflow vulnerability that can allow malicious users to run arbitrary code or might cause a denial-of-service after reading a maliciously crafted PNG file. This release updates Cairo to its latest version 1.4.14. The Common Vulnerabilities and Exposures has assigned the name CVE-2007-5503 to the issue resolved in Cairo 1.4.12.

New in Version 6.0.4

Workstation 6.0.4 adds full support for the following operating systems:

* 32-bit and 64-bit Windows Vista SP1 as host and guest operating systems. Editions include Windows Vista Enterprise, Business, Home Basic, Home Premium, and Ultimate.

Note: The Integrated Virtual Debuggers support most of these Windows Vista SP1 operating systems:

* Eclipse Integrated Virtual Debugger can be hosted on all 32-bit versions of these Windows Vista editions. It supports 32-bit and 64-bit Enterprise, 32-bit Ultimate, and 32-bit Business editions as a guest.
* Visual Studio Integrated Virtual Debugger can be hosted on all 32-bit and 64-bit versions of these Windows Vista editions. It supports 32-bit and 64-bit Enterprise, Ultimate, and Business editions as a guest.

Workstation 6.0.4 addresses the following security issues:

* On Windows hosts, if VMCI is enabled, a guest can execute arbitrary code in the context of the vmx process on the host. This is a compiler-dependent vulnerability. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the CVE number CVE-2008-2099 to this issue. (bug 234208)
* A security vulnerability related to the host-guest file system (HGFS) could cause a buffer overflow. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the CVE number CVE-2008-2098 to this issue. (bug 234214)

Workstation 6.0.4 is also a maintenance bug fix release to improve VMware Workstation 6.0.3. See Fixed Bugs for information about additional bug fixes.

VirtualBox 1.5.4 (released 2007-12-29)
USB 2.0 support
PulseAudio backend
GUI: fixed accelerators in German translation
GUI: fixed registration dialog crashes
GUI: allow to enter unicode characters to the name of the registration dialog
GUI: pre-select attached media in the disk manager when opened from the VM settings dialog
GUI: remember the last active VM
GUI: don’t accept empty paths for serial/parallel ports in XML
GUI: fixed NumLock / CapsLock synchronizazion on Windows hosts
GUI: don’t start the kernel timer if no VM is active (Linux host)
VMM: improved compatibility with FreeBSD guests
VMM: properly restore CR4 after leaving VT-x mode
VMM: patch code and disassembler updates
VMM: with VT-x a pending interrupt could be cleared behind our back
VMM: workaround for missed cpuid patch (some Linux guests refuse to boot on multi-core CPUs)
VMM: fixed code for overriding CPUID values
API: don’t crash when trying to create a VM with a duplicate name
API: don’t crash when trying to access the settings of a VM when some other VMs are not accessible
API: fixed several memory leaks
ATA/IDE: fixed SuSE 9.1 CD read installer regression
Floppy: fixed inverted write protect flag
USB: virtualize an EHCI controller
USB: several minor fixes
Network: fixed MAC address check
Network: host interface fixes for Solaris guests
Network: guest networking stopped completely after taking a snapshot
Network: don’t crash if a network card is enabled but not attached
PXE: fix for PXE-EC8 error on soft reboot
NAT: update the DNS server IP address on every DNS packet sent by the guest
VGA: reset VRAM access handers after a fullscreen update
VGA: don’t overwrite guest’s VRAM when displaying a blank screen
ACPI: implemented the sleep button event
VRDP: fixed crash when querying VRDP properties
VRDP: netAddress fixes
VRDP: fixed the Pause/Break keys over VRDP
VRDP: sync NumLock / CapsLock sync over VRDP
VRDP: workaround for scrambled icons with a guest video mode of 16bpp
VRDP: reset modifer keys on RDP_INPUT_SYNCHRONIZE
VRDP: reset RDP updates after resize to prevent obsolete updates
Clipboard: Windows host/guest fixes
Clipboard: fixed a SEGFAULT on VM exit (Linux host)
Clipboard: fixed a buffer overflow (Linux host)
Shared Folders: fixed memory leaks
Linux installer: remove the old kernel module before compiling a new one
Linux host: compatibility fixes with Linux 2.6.24
Linux host: script fixes for ArchLinux
Linux host: load correct HAL library to determine DVD/floppy (libhal.so.1 not libhal.so)
Linux host: make sure the tun kernel module is loaded before initializing static TAP interfaces
Windows additions: fixed hang during HGCM communication
Windows additions: fixed delay when shutting down the guest
Linux additions: added sendfile support to allow HTTP servers to send files on shared folders
Linux additions: make additions work with Fedora 8 (SELinux policy added)
Linux additions: sometimes ARGB pointers were display incorrectly
Linux additions: several small script fixes