VMware this week confirmed that stolen source code for VMware ESX had recently been published online.
"The good news is that the code dates from 2003 to 2004," notes Ars Technica's Jon Brodkin. "While VMware ESX is still heavily used, VMware is shifting customers to a newer hypervisor called ESXi, which has a smaller attack surface and is designed to be more secure."
"According to VMware, the publication of the source code does not necessarily mean that there is any increased risk for the company's customers," The H Security reports. "In a statement, the company said that VMware proactively shares its source code and interfaces with other industry participants to enable a 'broad virtualisation ecosystem.'"
"Still, a zero-day vulnerability in ESX could pose significant problems for VMware and the legions of cloud service providers whose infrastructure runs on the hypervisor," writes CRN's Kevin McLaughlin.
"The code was posted to Pastebin by a LulzSec-related hacker who goes by the handle 'Hardcore Charlie' on April 8," writes BetaNews' Ed Oswald. "The breach was part of a larger effort by the hacker which compromised the servers of the Beijing-based China National Import & Export Corp (CEIEC)."
"The hacker told Reuters earlier this month that he had targeted CEIEC in an effort to uncover documents about the U.S. government’s involvement in Afghanistan," writes Wired's Kim Zetter. "He said he worked with another hacker who goes by the name YamaTough."
"While the admission is embarrassing for VMware there may be more code to come from other vendors," writes The Register's Iain Thomson. "Hardcore Charlie has said on his Twitter feed that he also has EMC code that will be put up online at a later date."
"Earlier this year, the security vendor Symantec also suffered a similar source code leak," notes Computerworld's Jaikumar Vijayan. "In Symantec's case, the leaked code involved the Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2 products, both of which were more than five years old at the time they were posted."