VMware pledges to improve security, considers scheduling patch updates

It used to feel like Patch Tuesday was a problem that only Microsoft had to deal with. As Microsoft Windows was the major operating system deployed, it only made sense that this was where hackers preferred to spend most of their time creating malware, viruses, and exploits.

But as virtualization and cloud computing become the new top-level OS, as it were, within the data center, the hypervisor layer is becoming a more attractive target for breaches and attacks. Would-be hackers going after a virtualized data center will look for vulnerabilities within the hypervisor, the virtual machines, or the virtual networks in hopes of being able to find an exploit that can help them get their hands on the keys to the entire kingdom.

[ Also on InfoWorld: GreenBytes attacks storage costs and IO bottlenecks within VDI | The future looks bright for VMware Flings | Track the latest trends in virtualization in InfoWorld’s Virtualization Report newsletter. ]

For years, it seemed as though VMware only had to be concerned with Microsoft guest OS security issues. But as the hypervisor became more and more commonplace within the data center, the target on VMware’s back seemed to expand.

VMware has always had to deal with security issues, patches, and fixes. That’s nothing new. For the most part, they were fairly well contained within the VMware community. While VMware did its best to alert users and provide a fix or workaround in a fairy reasonable time frame, the security issues never seemed to make headlines outside of virtualization circles.

Even though the hypervisor is becoming more of a commodity play with increased competition coming from Microsoft, Citrix, Red Hat, and Oracle, it seems as though VMware has seen a spike in the number of threats made against its virtualization products. Or perhaps these security threats are just being more commonly reported in today’s mainstream media. Either way, security concerns are on the rise.

Things really changed last year when three separate incidents of VMware’s confidential source code from the ESX hypervisor were leaked and posted online by hackers. This raised more than a few eyebrows, and the news went far and wide. In December 2012, VMware security problems extended themselves over to the company’s desktop virtualization software, VMware View. It was found that an unauthenticated remote attacker could execute a directory traversal attack to retrieve random files from an affected View server, potentially exposing sensitive information on that server. Even more recently — last month, in fact — VMware warned of another vulnerability with its VMCI.SYS driver, which could result in a privilege escalation on Windows-based hosts and on Windows-based guest operating systems.

To be fair, VMware has often been quick to fix these security issues or come up with a workaround. But the company is now rethinking its process. The question posed to its user community was whether VMware should continue its “just in time” approach or if it should release a fixed schedule of security patches, à la Microsoft’s Patch Tuesday.

The virtualization giant surveyed more than 1,700 members of its independent VMware User Group (VMUG) to learn more about its customers’ security practices and requirements. According to a VMware blog post on the subject, some of the highlights from this survey include:

• Two-thirds of respondents have established maintenance policies and schedules, and they’re generally up-to-date with security patches (no more than four patches behind)
• One-third follow a monthly maintenance schedule, and another third have a quarterly maintenance cycle
• Alarmingly, one-third of respondents said they are well behind on security updates (23 percent) or never apply them (10 percent)
• Two-thirds consider vendor-supplied workarounds as either a temporary or permanent alternative to patching
• Nearly half of those responding said they would prefer a scheduled set of patches, while the remainder said they would prefer patches to be released immediately as they become available
• Two-thirds claimed they protect their vSphere management networks primarily using VLANs, though many share this network with other infrastructure services

In response to the survey information gathered, VMware said they are considering initiatives to increase awareness of security updates, as well as the potential for product improvements to reduce the burden of keeping up-to-date on security. The company will also provide more details within the VMware Security Advisories (VMSAs).

But with users split 50/50 in favor of either scheduled patches or just-in-time patches, VMware said it would continue to gather data before making a change from its current process. Don’t expect VMware to move to a regularly scheduled set of security patches just yet.

In the end, no matter what security update method VMware chooses to go with, one thing is clear: With VMware product threats potentially on the rise, if VMware releases a patch or update that is marked as “critical,” don’t blink. VMware customers shouldn’t take any chances with their virtualized infrastructures. In a physical environment, hackers have to concentrate on hacking individual servers or individual applications. But when you use virtualization, a hacker can sometimes get away with entry through a single point and gain access to everything (the keys to the kingdom).

This article, “VMware pledges to improve security, considers scheduling patch updates,” was originally published at InfoWorld.com. Follow the latest developments in virtualization at InfoWorld.com.