A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of multiple VMWare products. User interaction is required in that a user must visit a malicious web page or open a malicious video file. Upon installation VMWare Workstation, Server, Player, and ACE register vmnc.dll as a video codec driver to handle compression and decompression of the fourCC type ‘VMnc’. This format is used primarily by Workstation to capture remote framebuffer recordings of sessions within a virtual machine. The resulting video is stored within an AVI container file. While playing back such files the function responsible for handling ICM_DECOMPRESS driver messages implicitly trusts a size value while decompressing a frame. Specifically, the dwSize element within an Open-DML standard index RIFF chunk is used as an argument to a memcpy into a static heap buffer. This can be leveraged to execute arbitrary code on the host system under the context of the current user.
You can download this advisory from the following link: https://packetstormsecurity.com/files/download/76398/TPTI-09-02.txt
Source: https://packetstormsecurity.com/files/76398/VMWare-VMnc-Codec-Open-DML-Standard-Index-dwSize-Heap-Overflow.html