Several security issues resolved with the latest VMnc codec.
The VMware movie decoder contains the VMnc media codec that is
required to play back movies recorded with VMware Workstation,
VMware Player and VMware ACE, in any compatible media player. The
movie decoder is installed as part of VMware Workstation, VMware
Player and VMware ACE, or can be downloaded as a stand alone
Several vulnerabilities in the VMnc codec can be exploited to cause
heap-based buffer overflows via specially crafted video files
containing incorrect framebuffer parameters.
For an attack to be successful the user must be tricked into
visiting a malicious web page or opening a malicious video file on
a system that has the vulnerable version of the VMnc codec installed.
VMware would like to thank Alin Rad Pop of Secunia Research and
Will Dormann of the CERT/CC for reporting these issues and working
with us on their remediation.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2009-0199 and CVE-2009-2628 to these
To remediate the above issues either install the stand alone movie
decoder or update your product using the table below.