And such worries here are not merely theoretical. In December 2005, a widely publicized flaw in VMware sent shudders up some of our spines. A vulnerability in VMware's NAT service could have allowed remote attackers to execute malicious code by exploiting the VM itself. It should be noted that this issue, while a concern, was not really a VM escape. It was, instead, an exploitable buffer overflow vulnerability. A true VM escape, if such a thing is possible, involves running code in a guest that would allow an attacker to jump out and execute commands in the host operating system. There are no publicly available VM escape tools as of this writing. And, VMware thankfully patched the December buffer overflow quickly, and no major compromises associated with the problem were ever publicized.
However, in the end, it's crucial to keep your VM software itself patched to minimize the chance of vulnerabilities there. Additionally, if you do not need all of the fancy services that virtual machine-enabling software offers and installs, don't install them. For example, if you don't need to share files among guests and hosts, drag and drop features, shared clipboards, and so forth, consider not installing these tools. And, as always, any software without a defined business need should be left off of systems, as its introduction could expose you to vulnerabilities. Virtual machine tools are no exception.
This was first published in December 2006