It turns out that the "multiple security issues" are rather serious.  In fact they gave rise to an additional advisory rated 'critical' by the folks at VMware.

The vulnerability allows a task running in the hosted virtual environment to execute code on the host Operating System.

This is serious.  Very serious.

As part of the push to green the data centre many organisations are turning to virtual machine environments to enable highly separated, independent tasks to run concurrently on a single physical device.  Hosted websites for SMEs are an obvious example.

Now we find that any one of those virtual machines can influence the base OS, and by implication have dire effects upon other virtual environments on the same system.  There is a rolling demo of the exploit here.

Immediately following the first two updates, SANS reported the release of an exploit (only available for payment to the developers) and subsequently a whitepaper (also attracting a fee) that details the attack.  Oddly SANS chose not to publish links!

It seems that VMware have fixed the problem – the third advisory specifies the minimum version levels of all VMware products required to defeat the issue.  However, this is the first time that an inter-machine vulnerability has been identified, something we were always assured couldn't happen.