VMware Security has posted an announcement that patches are being made available immediately.

VMware has accelerated the delivery of a set of software patches for specific product releases that may be exposed to increased risk. We encourage all customers to view the following links to determine if appropriate patches are available for products in their environment: http://kb.vmware.com/kb/2019941 and http://www.vmware.com/security/advisories/VMSA-2012-0009.html.

For example, ESXi 5.0 P3 has a Security Patch Needed.

Apply security patch available at http://www.vmware.com/patchmgr/ download.portal under Bulletin ESXi500-201205401-SG.

That patch has the following explanations:

Due to a flaw in the handling of NFS traffic, it is possible to overwrite memory. This vulnerability may allow a user with access to the network to execute code on the ESXi/ESX host without authentication. The issue is not present in cases where there is no NFS traffic.

[…]

Due to a flaw in the virtual floppy configuration it is possible to perform an out-of-bounds memory write. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host.

[…]

Due to a flaw in the SCSI device registration it is possible to perform an unchecked write into memory. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host.

Their announcement also has a FAQ with reference to recent events:

In light of the current circumstances, we have accelerated our most recent security patches and applied them to all affected currently supported products.

500pix is a photo sharing site with an interesting approach to a terms of service (TOS) page. On the left side they have a bunch of legal language.

Content Submitted Or Made Available For Inclusion On The Service

Please read this section carefully before posting, uploading, or otherwise submitting any Content to the site. By submitting content to the site you are granting 500px a worldwide, Non exclusive license to use the content and are representing and warranting to 500px That the content is owned or duly licensed by you, and that 500px is free to publish, Distribute and use the content as hereinafter provided for without obtaining permission Or license from any third party…

Yada, yada, and then on the right they say this:

Basically, Your photos will preserve whatever copyright they had before uploading to this site. We will protect the copyright and will not sell your photos without your permission.

Under the store section they give this concluding sentence:

Your photos will be kept safe.

Safe? That is bold. I would understand if they said they would do their best or practice diligence but this statement is absolute. Then again, note their summary under Release and Indemnity.

Basically, We are not liable if something goes really wrong.

Uh, ok, really safe.

A new social network company by Sarah Gates called Wisegate, which bills itself as “a private invitation-only community of senior information technology professionals,” has released survey results that suggest security and compliance remain a barrier to cloud adoption for IT across industries.

When asked if they were moving protected class data into the public cloud, 53% of senior IT practitioners from leading companies in financial services, healthcare, consumer products, automotive, and government agencies said that the “cloud was too risky and they have no near term plans” to adopt cloud for such applications. Quite a few members reported that government or industry regulations (such as HIPAA or Sarbanes-Oxley) prevent them from adopting cloud-based applications.

Quite a few? What percentage is that?

A survey brief is available online from Wisegate but it has few of the usual details like sample size. It also shows some inconsistencies with the press release.

When it comes to moving to cloud-based applications and services, Wisegate members are most concerned about security. Scott’s first poll shows that 73% of Wisegate members have security as their biggest reservation about moving to cloud-based applications. A second poll from Scott shows that 53% of Wisegate members are addressing this security concern by requiring data classification, virtualization security, and encryption as a key control for moving to cloud.

Encryption as a key control? Funny. That pun was probably unintentional.

The paper from Wisegate emphasises using information from peers to move into cloud. That’s positive. Yet the news, even without the 73% data point, seems to get the opposite story spin. I’d like to see more detail on the 73% breakdown and how the questions were asked. Virtualization security is not mututally exclusive from data classification and encryption. Maybe the obfuscation of data is a sales tactic to get people to join Wisegate.