VMware

VMware Player 2.0 Release Notes

Features | Documentation | Knowledge Base | VMware Player Community | Downloads

Release Date: August 28, 2008
Build Number: 109488

VMware Player is a free desktop application that lets you run a virtual machine on a Microsoft Windows or Linux PC.

The Player provides an intuitive user interface for running preconfigured virtual machines created with VMware Workstation, VMware Server, and ESX Server. On Microsoft Windows hosts, Player also opens and runs Microsoft Virtual PC and Virtual Server virtual machines and Symantec Backup Exec System Recovery system images.

The Release Notes document contains the following sections:

What's New in VMware Player 2.0.x

This section lists all maintenance releases of VMware Player 2.0.x.

What's New in Player 2.0

Player 2.0 contains the following features:

  • Microsoft Windows Vista support — You can use Microsoft Windows Vista as a host and guest operating system.
  • USB 2.0 Support — You can use peripherals that require high-speed performance, such as MP3 players and fast storage devices, in your virtual machines.
  • Shared folders — If you have enabled shared folders on the virtual machine, you can use this feature to move files between the host and guest operating systems. The virtual machine must be preconfigured with shared folders enabled, and with the path specified to the designated shared folder on the host.
    As a security precaution, shared folders are disabled by default in Player. When you open a virtual machine with shared folders in Player, a notification message explains that shared folders have been disabled, and tells you how to re-enable the feature.
  • Appliance view — Virtual machine appliances can now be preconfigured to display an appliance view. A virtual appliance is a fully pre-installed and preconfigured application and operating system environment that runs on any standard x86 desktop or server in a virtual machine; for example, a Web server application with a browser-based console.
    The appliance view provides you a brief description of the type of server or appliance and provides a link that opens the browser on the guest system and connects to the correct port for the server console. If a virtual machine is configured with an appliance view, Player modifies the default settings to the appliance view. You can also opt to use the traditional console view.
  • Welcome page — The Welcome page provides you the option of browsing to a virtual machine file, opening a recently used virtual machine, or downloading a virtual appliance from the VMTN (VMware Technology Network) Web site.
  • Experimental support for Virtual SMP — You can use the Player to power on a virtual machine that has more than one virtual processor assigned.

Downloading VMware Player and Virtual Appliances

You can download the Player from the VMware Player download page and virtual appliances from the Virtual Appliance Marketplace.

Refer the Getting Started Guide for more information.

Known Issues

This section describes the caveats found in the Player:

  • Pressing the middle button on a Thinkpad T43 causes the cursor to be released from the guest operating systems.
    The middle button of the three buttons above the track pad is usually configured to allow scrolling. In the guest operating systems, it does not allow scrolling and might cause input to be ungrabbed from the guest.
  • If you share a folder between a Linux host and a Microsoft Windows guest, the Windows guest might not be able to access symbolic links.
    Symbolic links appear as regular files on Microsoft Windows guests, but the links are not followed when you attempt to open them.
  • If you install Player on a Microsoft Windows 2003 Server host, Player does not display help correctly until you enable JavaScript.
    This is because, on Microsoft Windows 2003 Server, JavaScript is disabled by default in Internet Explorer.
    Workaround:
    1. In Internet Explorer browser, select Tools > Internet Options.
      The Internet Options window opens.
    2. Select the Security tab.
    3. Click the Custom Level.
      The Security Settings window opens.
    4. Go to Scripting > Active Scripting, and select Enable.

Resolved Issues

This section describes the resolved issues in all maintenance releases of Player 2.0.x.

Fixed in 2.0.5 | Fixed in 2.0.4 | Fixed in 2.0.3 | Fixed in 2.0.2 | Fixed in 2.0.1

VMware Player 2.0.5

Player 2.0.5 addresses the following security issues:

  • Setting ActiveX killbit
    Starting from this release, VMware has set the killbit on its ActiveX controls. Setting the killbit ensures that ActiveX controls cannot run in Internet Explorer (IE), and avoids security issues involving ActiveX controls in IE. See the KB article 240797 available from Microsoft and the related references on this topic.
    Security vulnerabilities have been reported for ActiveX controls provided by VMware when run in IE. Under specific circumstances, exploitation of these ActiveX controls might result in denial-of-service or allow running of arbitrary code when the user browses a malicious Web site or opens a malicious file in IE browser. An attempt to run unsafe ActiveX controls in Internet Explorer might result in pop-up windows warning the user.
    Note: IE can be configured to run unsafe ActiveX controls without prompting. VMware recommends that you retain the default settings in IE, which prompts when unsafe actions are requested.
    Earlier, VMware had issued knowledge base articles, KB 5965318 and KB 9078920 on security issues with ActiveX controls.
    To avoid malicious scripts that exploit ActiveX controls, do not enable unsafe ActiveX objects in your browser settings. As a best practice, do not browse untrusted Web sites as an administrator and do not click OK or Yes if prompted by IE to allow certain actions.
    The Common Vulnerabilities and Exposures has assigned the names CVE-2008-3691, CVE-2008-3692, CVE-2008-3693, CVE-2008-3694, CVE-2008-3695, CVE-2007-5438, and CVE-2008-3696 to the security issues with VMware ActiveX controls.
  • Update to FreeType
    FreeType 2.3.6 resolves an integer overflow vulnerability and other vulnerabilities that can allow malicious users to run arbitrary code or might cause a denial-of-service after reading a maliciously crafted file. This release updates FreeType to its latest version 2.3.7.
    The Common Vulnerabilities and Exposures has assigned the names CVE-2008-1806, CVE-2008-1807, and CVE-2008-1808 to the issues resolved in FreeType 2.3.6.
  • Update to Cairo
    Cairo 1.4.12 resolves an integer overflow vulnerability that can allow malicious users to run arbitrary code or might cause a denial-of-service after reading a maliciously crafted PNG file. This release updates Cairo to its latest version 1.4.14. The Common Vulnerabilities and Exposures has assigned the name CVE-2007-5503 to the issue resolved in Cairo 1.4.12.

VMware Player 2.0.4

Player 2.0.4 addresses the following security issues:

  • On Windows hosts, if VMCI is enabled, a guest can run arbitrary code in the context of the vmx process on the host. This is a compiler-dependent vulnerability. The Common Vulnerabilities and Exposures assigned the CVE number CVE-2008-2099 to this issue.
  • A security vulnerability related to the host-guest file system (HGFS) might cause a buffer overflow. The Common Vulnerabilities and Exposures assigned the CVE number CVE-2008-2098 to this issue.

VMware Player 2.0.3

Player 2.0.3 resolves the following issues:

  • On openSUSE Linux 10.3 hosts, USB devices cannot be used in a virtual machine unless you plug the USB device in to the host before powering on the virtual machine.
  • On Windows hosts, after disabling shared folders, the Properties button remains enabled.

Security Fixes

  • On Windows hosts, if you have configured and enabled a shared folder, it is possible for an attacker to write arbitrary content from a guest system to arbitrary locations on the host system (CORE-2007-0930).
  • This release updates the libpng library version to 1.2.22 for removing various security vulnerabilities.

VMware Player 2.0.2

Player 2.0.2 resolves the following issues:

  • Hosts with AMD Duron processors might not be able to power on virtual machines. This issue occurs because Duron processors that are based on Athlon do not have Intel SSE (Streaming SIMD Extensions).
  • Ubuntu 7.04 virtual machines sometimes power off unexpectedly if paravirtual kernel support is enabled.

VMware Player 2.0.1

Player 2.0.1 addresses the following security issues:

  • This release fixes several security vulnerabilities in the VMware DHCP server that might enable a malicious Web page to gain system-level privileges.
    The Common Vulnerabilities and Exposures assigned the following names to these issues: CVE-2007-0061, CVE-2007-0062, and CVE-2007-0063.
    Thanks to Neel Mehta and Ryan Smith of the IBM Internet Security Systems X-Force for discovering and researching these vulnerabilities.
  • This release fixes a security vulnerability that might allow a guest operating system user with administrative privileges to cause memory corruption in a host process, and run arbitrary code on the host. The Common Vulnerabilities and Exposures assigned the following name to this issue: CVE-2007-4496.
    Thanks to Rafal Wojtczvk of McAfee for identifying and reporting this issue.
  • This release fixes a security vulnerability that might allow a guest operating system user without administrator privileges to cause a host process to stop responding or exit unexpectedly, making the guest operating system unusable. The Common Vulnerabilities and Exposures assigned the following name to this issue: CVE-2007-4497.
    Thanks to Rafal Wojtczvk of McAfee for identifying and reporting this issue.
  • This release fixes a security vulnerability that might allow a malicious remote user to exploit the library file IntraProcessLogging.dll to overwrite files in a system.
    The Common Vulnerabilities and Exposures assigned the name, CVE-2007-4059 to this issue.
    Thanks to the Goodfellas Security Research Team for discovering and researching these vulnerabilities.
  • This release fixes a security vulnerability that might allow a malicious remote user to exploit the library file vielib.dll to overwrite files in a system.
    The Common Vulnerabilities and Exposures assigned the name, CVE-2007-4155 to this issue.
    Thanks to the Goodfellas Security Research Team for discovering and researching these vulnerabilities.
  • This release fixes an issue that prevented Player from launching. This issue was accompanied by the error message VMware Player unrecoverable error: (player) Exception 0xc0000005 (access violation) has occurred. This issue might result in a security vulnerability from the images stored in virtual machines downloaded by the user.
  • This release fixes a security vulnerability in which the Player starts the registered Windows services such as the Authorization service with bare (unquoted) paths, such as c:\program files\vmware\.... The applications and services in Windows must be started with a quoted path. This vulnerability might allow a malicious user to escalate user privileges.
    Thanks to Foundstone for discovering this vulnerability.