VMware has confirmed that one of its ESX hypervisor source code files was posted online.

Iain Mulholland, director of VMware's Security Response Center, posted the following event-minimizing message:

"Yesterday, April 23, 2012, our security team became aware of the public posting of a single file from the VMware ESX source code and the possibility that more files may be posted in the future. The posted code and associated commentary dates to the 2003 to 2004 timeframe.

"The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers. VMware proactively shares its source code and interfaces with other industry participants to enable the broad virtualization ecosystem today. We take customer security seriously and have engaged internal and external resources, including our VMware Security Response Center, to thoroughly investigate. We will continue to provide updates to the VMware community if and when additional information is available."

Apparently the file was filched off a Chinese web site belonging to the China National Electronics Import-Export Corporation (CEIEC) by an Anonymous hacker who goes by the name of Hardcore Charlie who posted it and what looks like internal VMware e-mail on Pastebin on April 8.

Mulholland told Kaspersky's Threatpost the e-mails were probably commentary "that were manually added into the company's source code repository to provide context for developers."

It's unclear how CEIEC came by the code. It's supposed to do systems integration for the Chinese military.

It is also unclear if VMware has called the cops. Depends on how you read their engaging "internal and external resources."

Charlie reportedly got access to CEIEC by hacking into hundreds of thousands of e-mail accounts at the e-mail hosting company Sina.com, an adventure that has reportedly netted him a terabyte of confidential information from various Chinese companies, including a bunch of US military shipping documents from Afghanistan.

Customer vulnerability depends on what kind of code is out there. The wrong kind could lead to zero-day attacks or worse.

Eric Chiu, president of HyTrust, which secures VMware management stuff, guesses that that single file has little friends. (Charlie claims he downloaded 300MB of VMware code.) Chiu also says that 50% of enterprise data centers are now virtualized and that most of them virtualized by VMware and a lot of them are insecure.

VMware only made its default the somewhat more secure ESXi last year, when the first of the attacks on virtualized environments started happening, and given IT conservatism most VMware environments are probably on old code, which may or may not date to 2003-2004.

ESXi is more secure because of its smaller attack surface, Chiu said, which frankly doesn't sound all that reassuring.

Voltage Security VP Mark Bower said in a statement, "The real pain for the industry in this case is less about counterfeit VMware instances, but the intimate knowledge attackers may now possess of possible vulnerabilities in a critical virtualization tool that is the foundation for many enterprise data centers, clouds, and applications."

See http://blogs.vmware.com/security/2012/04/vmware-security-note.html and http://threatpost.com/en_us/blogs/e-mail-source-code-vmware-bubbles-compromised-chinese-firm-042412.