Slashdot Mirror
Microsoft Brings Security Holes to the Mac
eMilkshake writes "There is an MS security bulletin that reads, in part, 'A security vulnerability exists ... because of the method by which Virtual PC for Mac creates a temporary file when you run Virtual PC for Mac. An attacker could exploit this vulnerability by inserting malicious code into the file which could cause the code to be run with system privileges. This could give the attacker complete control over the system.' Guess VirtualPC really brings the Windows experience to the Mac!" An update is available from the Microsoft site.
On the flip side: sking writes "Australian IT reports on Microsoft's continuing development for the Mac: 'I just want to thank Apple for providing all those great innovative technologies that let us do what we love best: creating great applications,' gushed head of Microsoft's Macintosh Business Unit Roz Ho."
Looking at the virus definitions, it looks like most of the signatures are for Windows viruses. There are the old Mac and HyperCard viruses that it keeps a look out for as well.
End of Line.
Virtual PC emulates the hardware of an actual PC, complete with a video card, Ethernet NIC, a P2 processor, sound card, COM ports, and USB. This allows VPC to run practically any OS (except the old BeOS).
Because of this, folks, VPC has always been subceptible to malware attacks, particularly in Windows. If you can infect a real PC running Windows, then VPC running the same OS configurution is just as vunerable. Running Linux? Yep, you can get rooted if you don't configure it as you would any other box.
This new security update isn't very special in itself--it's perhaps that MS detected the vunerability better because it has access to the VPC source since they own the product now. A good question is whether the vunerability is in the virtual machine code or something that makes VPC more vunerable only in an environment running Windows.
The good news is that infections will only compromise the PC environment(s) in use. The Mac that is running VPC cannot be touched as it is effectively an invisible party to the VPC environments, nor can the Mac be used as a carrier as you can with some e-mail worms.
Not to say that someone might not try to exploit VPC's ability to use USB devices or its networking processes it shares with a Mac, or options such as shared folders (where a Mac folder is shared to Windows as if it were a networked folder).
Vos teneo officium eram periculosus ut vos recipero is.
Actualy thete's a very good chance the security hole would have been found because according to the tech document, the hole wasn't found by MS, it was found by one of the guys at @stake.
T Money
World Domination with a plastic spoon since 1984
The hole exists in previous versions of VPC. MS is, somewhat unsuprisingly, only releasing a patch for recent versions.
Connectix released versions 6.0, 6.0.1 and 6.0.2, and I believe the first MS release was 6.1. Yesterday's MS patches are from 6.0 forward.
Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?
AFAIK, (and IIRC) the first release of VPC from MS contained a spash screen change and made all previous disk images obsolete. You have to convert them to the 'new' MS style, and then they are unreadable by previous versions.
It has been awhile, but I think that was one of the reasons I stopped upgrading. If MS 'fixes' the BeOS keyboard issue (any keypress freezes the machine), I may reconsider, but beyond that - why should I encourage MS's poor behavior in business and coding?
VPC under MS is supposed to be faster (21%), but whatever. I don't think the connectix version had this issue. That said, this security issue looks to be rather difficult to implement..so maybe this is a non-issue and FUD.
It's an program that emulates a PC on Mac OS X. You can run any version of Windows or Linux on it. It's not particularly fast. I don't think it runs on G5s.
There are no trails. There are no trees out here.
Um, as I understand it, all Microsoft did with VirtualPC 6 was re-brand it as a MS product and increase the version number by .1. Therefore, any and all bugs in any release before the upcoming VPC 7 are really Connectix's fault, not Microsoft.
(Yeah, I wish I could blame these bugs on M$, too... but it's not really fair in this case.)
What we mean by "insecurity" here is being able to run code as a particular user _without_ having to know that user's info i.e. stack trashing, buffer overruns, or taking advantage of an error in another program (i.e. VPC) to do your nasty stuff.
Another case in point -- running a dictionary attack against a host to find out names / passwords does not mean the OS the host is running is insecure, even if the attack succeeds. It means the _host_ is not secure. If I use standard dictionary words for username and password of my root (or any other) account on my Linux box, and someone does a dictionary attack and finds them out, it's not Linux's fault -- it's mine.
Regards,
John
Falling You - beautiful
I program asp from OS X. There are only two things I cannot do with the mac itself:
1. Manage the SQL Servers we use
2. Manage the IIS Servers.
There are ODBC drivers for OSX but they cost a bundle, and there is nothing available to manage IIS from OSX. That leaves me four choices:
1. Tie up one of our scarce PCs (all our workstations are mac, windows is only used on a couple servers) just to manage IIS and SQL Server. That means spending precious time just keeping the machine patched just to do these two things. Plus it would take desk space (and my mac is a Powerbook, so I am used to have a relatively clean desk).
2. Walk to the windows servers any time I need to do something. Totally unpractical.
3. Use Terminal Server, since Microsoft provides a free Remote Desktop client. This works perfectly but it does not allow me to drag and drop between the terminal server session and my desktop.
4. Use VPC with 2000 Pro or XP Pro. This means I still have to spend a lot of time keeping windows patched properly, and it takes a lot more CPU power than a terminal services session. The only advantage here is I would get drag and drop.
I tried the VPC route for a while. On a Titanium Powerbook 867 it pretty bearable on Windows 2000 if I reserve 256MB ram for it. On XP Pro it is pretty much unusable unless I give it 384MB or more, which is not acceptable since that gives me 768MB ram for everything else.
Terminal Server is my only choice now, so instead of drag and drop I am stuck using samba shares, which would only work inside of the firewall and whenever I need to work away from the office I have to use ftp. Clumsy but gets the job done. If I was able to use drag and drop with Terminal Server it would totally rock. Patching the TS itself is not an issue since it is already being done, it would not mean extra work for me.
I kept VPC for a while rationalizing that I would not always have TS available, but then I realized that was just stupid since the server I would be managing *had* to be online and it is always setup in admin mode (with admin mode you cannot use it as an applications server, so TS is only used to manage the box).
As it is right now I have no interest in moving along with VPC, and all my peers that have faced the same dilemma agree.
Pedro
----
The Insomniac Coder
I've been using it to hack on Access (ick!) at home, and after upgrading to 6.0.1 and then disabling all of XP's eye candy, it's surprisingly responsive on my lowly 533mhz G4. Using Codetek's software to give it it's own desktop and an extra key on my snazzy Logitech keyboard to trigger said desktop, it's like having a 300mhz PC on a KVM switch.
Oh, how I wish that were a problem.
Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?