Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX, VMware VCB address information disclosure, privilege escalation and other security issues.

I Security Issuesa. Setting ActiveX killbitStarting from this release, VMware has set the killbit on itsActiveX controls. Setting the killbit ensures that ActiveXcontrols cannot run in Internet Explorer (IE), and avoidsMicrosoft KB article 240797 and the related references on thistopic.Security vulnerabilities have been reported for ActiveX controlsprovided by VMware when run in IE. Under specific circumstances,exploitation of these ActiveX controls might result in denial-of-service or can allow running of arbitrary code when the userbrowses a malicious Web site or opens a malicious file in IEbrowser. An attempt to run unsafe ActiveX controls in IE mightresult in pop-up windows warning the user.Note: IE can be configured to run unsafe ActiveX controls withoutprompting. VMware recommends that you retain the defaultsettings in IE, which prompts when unsafe actions arerequested.Earlier, VMware had issued knowledge base articles, KB 5965318 andKB 9078920 on security issues with ActiveX controls. To avoidmalicious scripts that exploit ActiveX controls, do not enableunsafe ActiveX objects in your browser settings. As a bestpractice, do not browse untrusted Web sites as an administratorand do not click OK or Yes if prompted by IE to allow certainactions.VMware would like to thank Julien Bachmann, Shennan Wang, Shinnai,and Michal Bucko for reporting these issues to us.The Common Vulnerabilities and Exposures Project (cve.mitre.org)has assigned the names CVE-2008-3691, CVE-2008-3692,CVE-2008-3693, CVE-2008-3694, CVE-2008-3695, CVE-2007-5438, andCVE-2008-3696 to the security issues with VMware ActiveX controls.