2. This issue is not about a user on the host compromising a virtual guest. It is about a *non-privileged* user on the host being logged in to guest machines as an administrator, and a worm--running in the context of that non-privileged user on the host--being able to access the admin-level context of the guest machines without knowing those administrator credentials. Also remember that since I am talking about a non-privileged user on the host, there will be limits on what this user could do to accomplish some of the other attacks mentioned.
Your position seems to be that an easy automated scripting interface is a lot more dangerous than a slightly harder indirect attack method. The truth is that they are both scriptable and reliable. Techniques for attacking virtual machines from the host are certainly no harder to code than the average remote exploit that worms used to propogate. Do you really think a worm writer who wants to compromise VMWare guests would take advantage of a scripting interface but shy away from the task if he had to write custom code to break into the guest?
4. This is also not so much about this specific issue at hand--we can easily block this--but also looking at the bigger picture of establishing best practices for dealing with the guest/host relationship.
Here's a best practice: Don't assume that guests are protected from software running on the host system.
As a side note, I specialize in hardening Windows so all of these systems have been hardened with my own hardening script that is quite extreme. These are by no means weak targets.
A (virtual) machine where attackers can arbitrarily read and write the memory, the disk and even alter devices is going to be a soft target. The physical analogy that someone brought up earlier works well here. Would you consider your machine locked down if someone could open your computer case, yank the hard drive and attach new devices to the system at will? Well, with a virtual machine they can do that while the machine is running.
Mark Burnett http://xato.net
Tim Newsham http://www.thenewsh.com/~newsham/
