Broadcom fails to disclose zero-day exploitation of VMware vulnerability

https://www.securityweek.com/broadcom-fails-to-disclose-zero-day-exploitation-of-vmware-vulnerability/

64•Bender•4mo ago

Comments

chuckadams•4mo ago

That's going to cost them big time in the EU when the CRA goes into full effect in a couple years. Theoretically anyway.

_alternator_•4mo ago

According to the discoverer, NVISO: “We can however not assess whether this exploit was part of UNC5174’s capabilities or whether the zero-day’s usage was merely accidental due to its trivialness.”

This may explain the failure to notify of a 0day, since it seemed to be exploited accidentally in the course of a more sophisticated operation.

But that doesn’t excuse the lack of disclosure IMO. If it’s so trivial you could accidentally exploit it, seems bad.

garganzol•4mo ago

To add an insult to the injury, Broadcom totally wrecked the update process for existing VMware installations. They killed update servers and domains, everything is annihilated.

A cherry on the top: you need to pass a quest of registrations and approvals before you ever be able to have an opportunity to get access to any VMware software download. Good luck updating your software, folks.

RiverCrochet•4mo ago

I wanted to update to the latest version of the free VMWare Workstation, and since the auto updating didn't work anymore I tried to go to the Broadcom site to see if I could manually download it.

I was able to get to a download page for the latest version after making an account and traversing some confusing stuff, but it did want my real name and address before it would give me the download.

chuckadams•4mo ago

Broadcom seems really determined to drive everyone away from VMWare at this point. I think they looked at pre-1990's IBM that locked everything up into service contracts top to bottom and decided that would be their business model. Makes Oracle look like GNU by comparison.

stackskipton•4mo ago

> Broadcom seems really determined to drive everyone away from VMWare at this point.

They are but this a shit ton of money to be earned while doing so. VMWare is so cemented at companies that migration for many is going to be almost impossible.

>pre-1990's IBM that locked everything up into service contracts top to bottom

IBM still has a ton of those service contracts. It's small amount of their overall revenue but it's not nothing. 10 years from now, big F500 will still be on VMware paying insane amounts of money.

miladyincontrol•4mo ago

Good reason as to why even in vms, services should be containerized such as with nspawn, ideally distroless if sanely doable for the service.

Not that containerization should be your only protection either, but generally I prefer random users not to have opportunity to just create and run arbitrary executables in default namespace.

Facebook seemingly randomly bans tons of users

Global Bird Count

What Is Ruliology?

Jon Stewart – One of My Favorite People – What Now? With Trevor Noah Podcast [video]

P2P crypto exchange development company

Vocal Guide – belt sing without killing yourself

Write for Your Readers Even If They Are Agents

Knowledge-Creating LLMs

Maple Mono: Smooth your coding flow

Sid Meier's System for Real-Time Music Composition and Synthesis

Show HN: Slop News – HN front page now, but it's all slop

Show HN: Empusa – Visual debugger to catch and resume AI agent retry loops

Show HN: Bitcoin wallet on NXP SE050 secure element, Tor-only open source

White House Explores Opening Antitrust Probe on Homebuilders

Show HN: MindDraft – AI task app with smart actions and auto expense tracking

How do you estimate AI app development costs accurately?

Going Through Snowden Documents, Part 5

Show HN: MCP Server for TradeStation

Canada unveils auto industry plan in latest pivot away from US

The essential Reinhold Niebuhr: selected essays and addresses

Rentahuman.ai Turns Humans into On-Demand Labor for AI Agents

StovexGlobal – Compliance Gaps to Note

Show HN: Afelyon – Turns Jira tickets into production-ready PRs (multi-repo)

Trump says America should move on from Epstein – it may not be that easy

Tiny Clippy – A native Office Assistant built in Rust and egui

LegalArgumentException: From Courtrooms to Clojure – Sen [video]

US moves to deport 5-year-old detained in Minnesota

If you lose your passport in Austria, head for McDonald's Golden Arches

Show HN: Mermaid Formatter – CLI and library to auto-format Mermaid diagrams

RFCs vs. READMEs: The Evolution of Protocols