Slashdot Mirror
MS Virtual PC Flaw Defeats Windows Defenses
Coop's Troops writes "An exploit writer at Core Security Technologies has discovered a serious vulnerability that exposes users of Microsoft's Virtual PC virtualization software to malicious hacker attacks. The vulnerability, which is unpatched, essentially allows an attacker to bypass several major security mitigations — DEP, SafeSEH and ASLR — to exploit the Windows operating system. As a result, some applications with bugs that are not exploitable when running in a not-virtualized operating system are rendered exploitable if running within a guest OS in Virtual PC."
If you want security, unplug the 'net. You ain't gonna get it any other way.
Makes one wonder if the disabling of these crack-thwarting mechanisms are also killed in other desktop hypervisors. Bad news.
---- Teach Peace. It's Cheaper Than War.
Arce said Core reported the flaw to Microsoft last August... Microsoft officials declined to comment until they had a chance to review Core’s advisory on the issue
So how many months do you need to review once you are told about it???
Every time I read an article like this, it gives me a smug face wondering why more people don't switch.
Swtch to what, VMware or Parallels?
Oops.
The good news is that this doesn't affect the big iron (Hyper-V). However, for people who have Windows 7 and XP mode, using it for Web browsing, this will cause them a world of hurt.
Since this essentially doesn't affect servers, I'm going to recommend to people that they move to VMWare Workstation if they want commercial support, or VirtualBox if they desire an open source solution. Either one of these has as many features as VirtualPC (although VirtualPC has one nice advantage -- it drops changes to the undo disk fast compared to the 2-3 minutes VMWare does.)
A hole in a hypervisor is a really bad thing. A lot of people use VMs for honeypots, and this would cause unintended infections, or other damage, perhaps catastrophic.
Answer: Because their apps run on windows. That's all there is to it.
Copyright 2010. All rights reserved. This comment may not be copied in any way including, but not limited to caching.
Because Linux doesn't have the apps they want? They don't want to have to relearn years of knowledge built up using Windows? That it's not as simple to switch an entire OS and migrate all your programs and data as people like you would have people believe?
Ahh yes, come one, come all to Debian Island where all the computers are free and none of them work quite right.
by Mike Buddha -- Someday the mountain might get him, but the law never will.
This is definitley a bug, but all it does is allow bypassing of security features in the virtualized system. In other words, you can exploit the VM client, but you still can't get at the host.
It's worth of a patch, but not of a panic. If you're virtualizing for security, you don't really care what happens to the virtual system (that's the point). If you're virtualizing so you can run an old OS, it's going to be full of holes anyhow. If you're virtualizing for any other reason, why the hell are you using consumer-grade virtualization software?
There's no place I could be, since I've found Serenity...
Virtualbox.
I've got better things to do tonight than die.
I would like to add that the exploit writer at Core Security Technologies that discovered this vulnerability is Nicolás Economou and congratulate him on the great work he has made.
Disclaimer: I also work at Core
So apparently smug isn't isolated to just macfags and prius drivers.
I mean, talk about small targets. I highly doubt that any hacker would find it worth his time to attempt to exploit this. I mean, first you have to find someone running XP mode. Then you have to get them to open an executable (or exploit some other vulnerability to get onto the system) on the guest OS instead of the host OS. Then the person still has to have more than 2 gigs of RAM and be utilizing more than 2 gigs at once. Then, after all that, you only have access to the XP VM, which may or may not have anything of worth on it.
I'm not surprised that MS shrugged it off for now.
Don't take life so seriously. No one makes it out alive.
Mod up this EPIC LULZ!
Wow, there sure are a lot of butthurt winfags in this thread.
When are you going to get tired of paying to be screwed?
Because a large proporrtion of the userbase are smug, albeit clueless assholes?
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
This is just the kind of thing I can put my faith in.
Its like they do this on purpose...
Not all of us can afford Macs.
You are welcome on my lawn.
I mean, talk about small targets. I highly doubt that any hacker would find it worth his time to attempt to exploit this. I mean, first you have to find someone running XP mode. Then you have to get them to open an executable (or exploit some other vulnerability to get onto the system) on the guest OS instead of the host OS. Then the person still has to have more than 2 gigs of RAM and be utilizing more than 2 gigs at once. Then, after all that, you only have access to the XP VM, which may or may not have anything of worth on it.
I'm not surprised that MS shrugged it off for now.
Sorry, nice try, but you don't seem to understand the issue here. You don't need to "get them to open an executable" - the point is that this vulnerability makes it possible to exploit existing vulnerabilities by bypassing mitigation techniques such as SafeSEH, DEP, and ASLR. It also has nothing to do with the amount of physical RAM on the system or how much is being used - the mentions of memory accesses refer to a process's virtual address space.
I agree that this doesn't have nearly the same impact as if it affected Hyper-V or other business-critical virtualization platforms, but if you're going to downplay its significance, at least know what you're talking about. ;)
When we face a choice between adding features and resolving security issues, we need to choose security.
- Bill Gates, January 16, 2002 .
Help stamp out iliturcy.
Apparently you haven't met my ex-wife, or you'd already know the answer to that.
Simple. How many months will you give them before you go public?
Three months (one quarter). Give them the benefit of the doubt for fixing things.
I'm all for full disclosure, but at least give people a fighting chance to patch their systems.
for a 0-day in IE by 3 weeks, so that they could put it in a "planned update to IE"
Which allows for large companies that depend on IE to do regression testing on one patch (or patch release cycle), instead of two or more.
If this was a popular open source project trying to pull this stuff, how quickly would a fork surface? Then again, it's all about placating the sheeple, right?
A popular open source project I think would also like a little breathing room to test things to make sure they got the fix right and that their code changes didn't break anything else.
Developers--who also work inside Microsoft--are people too, and making them sweat doesn't help anyone. Just because the suits are asshats doesn't mean you have to act like one too.
Ahh yes, come one, come all to Debian Island where all the computers are free and none of them work quite right.
At least the computers are free. That's more than you can say with Windows.
They're paying so that their shit actually works, as opposed to running broken copies of Windows.
I know, I know. And yet, I'm not entirely convinced that it's better to have the apps you want/need while helping to send spam, and have your personal information sold to not just the highest bidder but to all bidders, running Windows, than it is to be secure on Linux, and be forced to make do with either no app, or simply a different app (not always worse) and have to learn something different.
It's a matter of priorities. Do I want to a) fight Windows security and have the apps I want, b) ignore security and have the apps I want, or c) have security, but have to learn some other app, or maybe do without that app.
Personally, I run XP inside VirtualBox on Linux, and only the apps I *must* run on Windows are in the virtual machine, everything else I do on Linux, even if it's not quite as polished as the Windows alternative, because when you combine the polish of the drivers with the security of the OS, I still think the Linux side comes out ahead. And I run git drivers for my ATI video card - not exactly the most stable way to go.
The target isn't that small. The fact that being virtualized breaks their security models is a big issue, and indicative of other big issues. (Using virtualization to break copy protection is one of my personal favorites.) And there are plenty of home and business users who have gotten Windows Vista machines foisted onto them who use and need to use Windows XP for software compatibility reasons, and who therefore run old games or critical applications in Windows XP under Virtual PC. I've done it myself for debugging purposes, when I've had spare licenses but not spare desktop systems.
Ain't that the truth.......I like to get things done not try to get things done.
Disclaimer: This post made on OSX 10.5.8 running VirtualBox 3.1.2
FragHARD or don't frag at all
So you're still paying for earlier screwings years after the fact, eh?
When are you going to get tired of paying to be screwed?
I don't think we can get an estimate on that. Given The Oldest Profession, and given that I'm fairly certain that prostitutes still exist in some parts of the world, I'd say we've been happy to pay to be screwed for a very long time, with no data ever suggesting that we'd grow tired of it.
Let q be a radix > 1. I am in ur base-q, killing 10 d00ds.
Aren't those called "exploits"?
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
It's a matter of priorities. Do I want to a) fight Windows security and have the apps I want, b) ignore security and have the apps I want, or c) have security, but have to learn some other app, or maybe do without that app.
The whole point of having a computer is to run the programs you want to run. If you're going to have to "do without", you might as well unplug the damn thing (thereby achieving perfect security).
Visual IRC: Fast. Powerful. Free.
He said they NEEDED to... not that they WOULD.
Slashdot: Where the truth is flammable.
Turning to a Linux advocate for thoughts on Microsoft is like asking Hitler how he felt about the Jews.
To the extent we use it at work, it is for running stubborn old software that won't run in Windows 7 and/or 64-bit OSes. To date, we've discovered two applications like that. We also set them up to run seamless in the host OS (their window appears along any other window) where you don't see or play with the guest VM. It's easier for the user, and less potential trouble. They generally don't even know (or care) that the program is running in a VM.
So yes, it requires some fairly edge situations to exploit. Not many people use XP mode in the first place (most apps run natively in 7), if they do, reasonable bet they are just using it for compatibility for one or two old apps, not on a regular basis. So you have to convince them to get your exploit, and run it in their XP system. While I suppose you could craft it so that it doesn't run in 7, they may just say "Eh, do not want," and ignore it. If not they might wonder why a new app would have that problem. Either way you've got to get them to use it in XP mode and then... Well I guess you can own their XP VM. Wonderful, that does you a whole lot of nothing in general.
Also this isn't a case of "Bypasses any and all security," it just gets by some additional protections that can help in some cases. DEP, for example, doesn't do anything to stop malware, it doesn't check the "evil bit" and stop programs from running. All it does is prevent buffer overflows in some cases. You can't execute code in the data area of a program's memory. Ok, fine, however to even matter at all you have to have a program that is vulnerable to that kind of thing. If programs are checking their inputs and so on, then DEP never even comes in to play.
Don't get me wrong, I'm happy that MS has added some additional protections to make common problems harder to exploit, however they are not the first, last, and only line of defense. They are just things that cause additional problems for various sorts of exploits. Something has to find a way to try and get in to the system in the first place before they even matter.
I can't see this as any kind of big deal. I'm certainly not at all concerned with regards to the computers that use it at work.
And yet, I'm not entirely convinced that it's better to have the apps you want/need while helping to send spam, and have your personal information sold to not just the highest bidder but to all bidders, running Windows, than it is to be secure on Linux, and be forced to make do with either no app, or simply a different app (not always worse) and have to learn something different.
Personally, I run XP inside VirtualBox on Linux,
A pirated version no doubt.
because when you combine the polish of the drivers
What polish? Except for some piece of hardware that might be 15+ years old, most of the OSS drivers provide suboptimal features and performance compared to the proprietary or Windows equivalent drivers.
And I run git drivers for my ATI video card - not exactly the most stable way to go.
Which goes to show that you're trolling.
This is really a vulnerability in any meaningful sense of the word. Rather, this means that certain advanced protections that Windows uses are less effective in a Virtual PC. Microsoft is actually in a leading postion when it comes to memory protection features as compared to anyone this side of OpenBSD.
What isn't someone issuing an "advisory" that the MacOS implementation of things like GS, ALSR, early-heap-termination and SafeSEH are either weak or nonexistent?
ASLR could use more entropy. Stack coookies could be present in every function, instead of just some. Every defense can be improved, and I don't think Microsoft has ever claimed that ASLR or GS is a reason NOT to produce a patch.
IMHO, Microsoft is completely correct to not issue a bulletin for this since that is an indication of a severe issue. And Core is free to make the issue known publically as well, and people can decide for themselves. But the Slashdot title is midleading at best.
Seriously, why is the parent modded funny? I switched to VirtualBox after MS bastardized Virtual PC for Win7, and haven't looked back. Admittedly, having all the media registered in a central database is annoying compared to the XML and path based approach of VirtualPC, but apart from that it's a solid product.
Most human behaviour can be explained in terms of identity.
RTFA and re-read what I said:
Article: "It causes memory pages mapped above the 2GB level to be accessed with read or read/write privileges by user-space programs running in a Guest operating system."
Me: "Then you have to get them to open an executable (or exploit some other vulnerability to get onto the system)"
Don't take life so seriously. No one makes it out alive.
Do I want to a) fight Windows security and have the apps I want, b) ignore security and have the apps I want, or c) have security, but have to learn some other app, or maybe do without that app.
I put forward an alternative use Windows because it has the apps you want and stop being such an asshat thus not worrying about security.
I've used Windows since the DOS/3.1 days when I didn't know much all the way up to Windows 7 now and I have never once been hacked, infected by a virus or had any banking information used fradulently. The most I've ever done is use an anti-virus/malware app (currently MS Security Essentials) and not stupidly clicked links in dodgy emails/websites. In my eyes that is not fighting Windows that's doing what I want when I want and getting along just fine.
VirtualBox is great, only drawback is that some of it's features (USB for instance) have had BSODy issues in the past. I also recommend using VT/AMDV mode all the time when running XP in a VM, VirtualBox hardlocks the host after about a month running XP without VT on my system.
The central database for media is a little annoying but only until you get the media you usually use in it and then you can pretty much forget about it. Have actually come in handy sometimes when I need to figure out on what disk and folder a CD image is stored.
Oh, and never run Virtual PC and VirtualBox at the same time unless you make sure only one of em uses the VT feature.
Could run his VM without a network interface. Unless he is using the VM for Outlook of course.
which is totally what she said
6 months is actually rather fast turn-around time for Microsoft. The weenies usually take longer to acknowledge a bug, usually waiting for hints of an automated exploit in the wild before doing so. That allows their PR firms to call it a '0 Day' bug.
Depends on what "programs and data" you need. Now that most of my development is on web apps rather than standalone apps, it's pretty damn trivial for me to switch between OSes. I use a VM for the very occasional bout of Windows development I have to do, and Remote Desktop for server administration.
And your "years of knowledge built up using Windows"? Gimme a break. Those "years of knowledge" for most (but obviously not all) people amount to how to do a right click and where to find "My Documents". OSX and Ubuntu are very easy for the average person to pick up even if they're used to Windows, because all they're ever going to do is browse Facebook and play flash games.
which is totally what she said
Alltough I never got this working: booting from a VHD :, it occurs to me that are a lot of people doing this for different purposes...
http://www.sevenforums.com/tutorials/2953-virtual-hard-drive-vhd-file-create-start-boot.html
Would this be affected too?
Do I want to a) fight Windows security and have the apps I want, b) ignore security and have the apps I want, or c) have security, but have to learn some other app, or maybe do without that app.
d) actually get some work done using apps which are only available for windows meaning I occasionally have to deal with a virus or other security issue but it's rarely an issue.
My answer is d.
Brain surgery - it's not rocket science!
I love how the summary has to point out that the vulnerability is "unpatched". Well no shit, it wouldn't be a vulnerability if it was patched.
Not sure if anyone knows about these but...
The document and settings transfer wizard in Windows 7 did not ask me to authenticate for the other profiles I transferred. So I assume that if one were to examine that program there might be something in there.
When I installed Windows 7 on my laptop - at the point where it asked me for the Key I unplugged to take the laptop to my desk to get the key - and the Key dialog was simply bypassed! I was on the next screen. So I still haven't entered my key. Maybe this only happens with a MSDN license - not sure.
This is really a vulnerability in any meaningful sense of the word. Rather, this means that certain advanced protections that Windows uses are less effective in a Virtual PC ..
'The flaw, discovered by Core exploit writer Nicolas Economou, exists in the memory management of the Virtual Machine Monitor. It causes memory pages mapped above the 2GB level to be accessed with read or read/write privileges by user-space programs running in a Guest operating system'
Microsoft weasle words, copyright©
"VirtualBox hardlocks the host after about a month running XP without VT on my system. "
Elaborate, please? I've never had a hardlock with my VBox machines. You're saying that one month continuous uptime on the VM will do that? Do you have any idea why?
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
That helps to emphasize what some of the developers are doing with ChromeOS and similar offerings.
More than half the people in the world who own computers do nothing but check email, play a few flash games, do some online shopping, and other similar frivolities. Most people don't need multi-Ghz CPU's, super Fps video cards, terrabytes of hard disk space, or more than a gig of memory. And, most people don't need all the utilities, games, services, etc that are found in any standard Windows installation.
*nix. It just makes sense.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
A lot of people make that claim. The number of people who have NEVER had ANY security issue with Windows is simply amazing, if we are to believe all those claims.
Oddly, McCaffee, Symantec, and all the rest continue to make money hand over fist, and tens of thousands of computer shops in the US have steady, reliable incomes, thanks to the various security issues.
I can't possibly say whether this particular AC is full of shit or not, but whenever I hear such a claim, I can't help wondering.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
And I told people at the time that I expected Microsoft to take _at_least_ 10 years to be able to do that consistently. 15 years wouldn't surprise me.
While I have not yet tried out Win7 or IE8 myself, everything that I've read says that they've made remarkable progress in improving their overall security stance. They just might finish up nearer the shorter end of my estimate than I thought at the time. :)
Oddly, McCaffee, Symantec, and all the rest continue to make money hand over fist, and tens of thousands of computer shops in the US have steady, reliable incomes, thanks to the various security issues.
The AC never said that these security issues don't exist, only that he hasn't had them. And he said he uses exactly the sort of software you've mentioned here.
So, the AC uses common sense and software that is specifically designed to protect him from these security issues. Sounds pretty reasonable to me that he hasn't had a problem.
Elaborate, please? I've never had a hardlock with my VBox machines. You're saying that one month continuous uptime on the VM will do that? Do you have any idea why?
When VT is disabled my system will sometimes hardlock. This happens rarely so it's difficult to assert for certain if vbox was the guilty party but it only happened while vbox was running and was sometimes foreshadowed by vbox first crashing and the host following shortly.
Fortunately there's no reason not to activate VT unless you don't have it or run another VM that needs VT alongside vbox.
I've complained and then what?
The OP was remodded offtopic instead of troll (how is it OT? Did you hire an M$ employee to moderate posts?!?)
And my post was labeled troll... I've come in defense of another guy -- which btw I don't know -- and this is trolling?
Am I supposed not to question /.?
BTW, this is not OT IMHO. And not funny, too.
I wish I had mod points left to give everyone in this read a +5 Funny.
Because Linux isn't ready for the desktop.
You've already posted something in this discussion. Damnit, I wanted to moderate you +1, Funny.
A lot of people make that claim. The number of people who have NEVER had ANY security issue with Windows is simply amazing, if we are to believe all those claims.
Yes, and that's because for that lot of people it's probably true. I've never had this sort of problem with Windows either. The one time in my youth I first encountered "CoolWebSearch" it took me some time to discover it and how to fix it, and since then nothing.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
I run XP inside VirtualBox (locked out of my network) on my own machine for the one Windows-only software suite I absolutely must have, too. Never had a serious problem with my Windows system or with my host machine (though Windows does have some instability, doesn't have sound (which is okay, since I never use it for multimedia anyway), and one of my Windows apps doesn't communicate with the Ubuntu clipboard very well). And I still end up with more grief from Windows overall than I do my Ubuntu machine!
And if that's the case, you'd realise you aren't licensed to run Windows. MSDN licenses (without the BizSpark, Empower or WebsiteSpark exemptions) are for Development use only. Not production.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".