Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX, VMware VCB address information disclosure, privilege escalation and other security issues.

I Security Issues

a. Setting ActiveX killbit
Starting from this release, VMware has set the killbit on its
ActiveX controls. Setting the killbit ensures that ActiveX
controls cannot run in Internet Explorer (IE), and avoids
Microsoft KB article 240797 and the related references on this
topic.
Security vulnerabilities have been reported for ActiveX controls
provided by VMware when run in IE. Under specific circumstances,
exploitation of these ActiveX controls might result in denial-of-
service or can allow running of arbitrary code when the user
browses a malicious Web site or opens a malicious file in IE
browser. An attempt to run unsafe ActiveX controls in IE might
result in pop-up windows warning the user.
Note: IE can be configured to run unsafe ActiveX controls without
prompting. VMware recommends that you retain the default
settings in IE, which prompts when unsafe actions are
requested.
Earlier, VMware had issued knowledge base articles, KB 5965318 and
KB 9078920 on security issues with ActiveX controls. To avoid
malicious scripts that exploit ActiveX controls, do not enable
unsafe ActiveX objects in your browser settings. As a best
practice, do not browse untrusted Web sites as an administrator
and do not click OK or Yes if prompted by IE to allow certain
actions.
VMware would like to thank Julien Bachmann, Shennan Wang, Shinnai,
and Michal Bucko for reporting these issues to us.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the names CVE-2008-3691, CVE-2008-3692,
CVE-2008-3693, CVE-2008-3694, CVE-2008-3695, CVE-2007-5438, and
CVE-2008-3696 to the security issues with VMware ActiveX controls.