VMware addresses ESX source code leaks with accelerated security patches
At the end of April, Iain Mulholland, director of the VMware Security Response Center, announced that some of VMware's confidential source code for the ESX hypervisor had been leaked and a single file had been posted online. That same day, Kaspersky Lab's ThreatPost blog pointed to a hacker calling himself "Hardcore Charlie" as the person who leaked the VMware ESX hypervisor files.
At first, the full extent of the situation was unclear. Could this leak affect virtual data centers and cloud environments around the world, or would it end up being just a minor blip on the radar screen? The specifics of the leaked code are still in question, but the availability of ESX source code out in the wild could potentially give hackers a better chance to find undiscovered vulnerabilities in the company's hypervisor technology. The seriousness of this exposure depends on the level of code audit performed.
VMware's initial stance on the source code leak was discouraging. In his initial blog post, Mulholland seemed to downplay the event. He stated that the leaked code dated back to the 2003-2004 timeframe, and since VMware had made many revisions to the code in the years that followed, it seemed like a good possibility the leaked code could have been deprecated along the way, reducing any negative security affects it might have. Mulholland also tried to calm fears by saying, "The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers."