Home > Uncategorized > Misguided Opinion: Why does everyone care about the VMware source being “leaked?”

Misguided Opinion: Why does everyone care about the VMware source being “leaked?”

Suddenly, 17 days after the ‘leak press release’ was published by HardcoreCharlie to pastebin, the news story broke far and wide that VMware source code has been leaked.

Did anyone miss the fact that VMware makes their source available to partners via the TAP program?

To me it seems this “breach” was little more than some sysadmin at some reseller posting a torrent of the source; source that was already available to the “public” (albeit not general). The leak doesn’t appear to be an exfiltration of data from VMware’s servers, which would be actually scary.

This idea hasn’t stopped everyone from ThreatPost to ZDNet from posting about how VMware, them self, is “downplay[ing] any damage” the leak caused by stating “VMware proactively shares its source code and interfaces with other industry participants to enable the broad virtualization ecosystem today.”

Since VMware makes its source code available to third parties, then VMware clearly doesn’t seem to think that it is an asset that needs much protecting; just a restricted audience, or rather, an audience filled with paid seats. Therefore, there is no damage as far as VMware is concerned. It’s like stealing tax forms available in your local IRS office, publishing them online as a “leak,” then having the US government responding to “the event” by stating “yea, we don’t think it’ll hurt anyone who files their taxes.”  This is not “downplay[ing] the damage,” as there is no damage.

It’s a shallow shaving off of the data chunk that is VMware’s IP, clearly; and a distraction from real threats and causes of exfiltration of data that their global customer base face on a daily basis. Due to the availability of the “leaked” data by VMware, this can barely be considered an exfiltration.

The probable fallout of the leak? Now that the source code may be available not only to commercial entities/partners in the TAP program, but to the world, we can expect the proliferation of exploits. This means that the “source code leak” will eventually cause an increase in security of the VMware kernel and platform.  Good!

Or maybe it doesn’t matter. VMware should (and apparently does) have a security team that spends their time analyzing VMware’s software.  Likely this security team is hard at work finding and working on patches for existing vulnerabilities in VMware code. Taking a look at the public CVEs for VMware, it’s clear that many people are hard at work doing just this, internal and external to VMware itself.  I’m surprised more folks aren’t working hard to reverse patches.

I’d be interested in finding a link to the source code (and when I do, expect a link here), but for now, it’s just a pipe dream of Hardcore Charlie’s.

Keep an eye out for metaploit modules and other exploits to pop up over the next few months.

This brings up another interesting topic. Is it ethical for a search engine to delist results or not service searches containing a certain string if it is deemed dangerous? What defines “dangerous?”

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: