MS Virtual PC Flaw Defeats Windows Defenses

← Back to Stories (view on slashdot.org)

MS Virtual PC Flaw Defeats Windows Defenses

Posted by kdawson on Tuesday March 16, 2010 @11:01AM from the around-the-maginot-line dept.

Coop's Troops writes "An exploit writer at Core Security Technologies has discovered a serious vulnerability that exposes users of Microsoft's Virtual PC virtualization software to malicious hacker attacks. The vulnerability, which is unpatched, essentially allows an attacker to bypass several major security mitigations — DEP, SafeSEH and ASLR — to exploit the Windows operating system. As a result, some applications with bugs that are not exploitable when running in a not-virtualized operating system are rendered exploitable if running within a guest OS in Virtual PC."

8 of 141 comments (clear)

Min score:

Reason:

Sort:

Ugh, this isn't good. by mlts · 2010-03-16 11:17 · Score: 4, Informative

The good news is that this doesn't affect the big iron (Hyper-V). However, for people who have Windows 7 and XP mode, using it for Web browsing, this will cause them a world of hurt.
Since this essentially doesn't affect servers, I'm going to recommend to people that they move to VMWare Workstation if they want commercial support, or VirtualBox if they desire an open source solution. Either one of these has as many features as VirtualPC (although VirtualPC has one nice advantage -- it drops changes to the undo disk fast compared to the 2-3 minutes VMWare does.)
A hole in a hypervisor is a really bad thing. A lot of people use VMs for honeypots, and this would cause unintended infections, or other damage, perhaps catastrophic.
1. Re:Ugh, this isn't good. by Anonymous Coward · 2010-03-16 11:41 · Score: 4, Informative
  
  The hole is not in the hypervisor. The GUEST OS is the one that is compromised, not the OS running the VM.
2. Re:Ugh, this isn't good. by cbhacking · 2010-03-16 11:46 · Score: 5, Informative
  
  Honeypots are designed to get hit. This bug doesn't make the host system vulnerable, it just means that the client OS is easier to exploit.
  If it worked on Hyper-V, this would be a big problem; that's a server-level technology where even the clients are expected to remain secure. On the other hand, Virtual PC isn't even a hypervisor; it requires a full OS onderneath it, running itself as just another Windows app. Up until 2007 didn't even require hardware support for virtualization.
  
  --
  There's no place I could be, since I've found Serenity...
Still can't exploit the host OS by cbhacking · 2010-03-16 11:41 · Score: 5, Informative

This is definitley a bug, but all it does is allow bypassing of security features in the virtualized system. In other words, you can exploit the VM client, but you still can't get at the host.
It's worth of a patch, but not of a panic. If you're virtualizing for security, you don't really care what happens to the virtual system (that's the point). If you're virtualizing so you can run an old OS, it's going to be full of holes anyhow. If you're virtualizing for any other reason, why the hell are you using consumer-grade virtualization software?

--
There's no place I could be, since I've found Serenity...
Re:Linux by Hamsterdan · 2010-03-16 11:45 · Score: 5, Informative

Virtualbox.

--
I've got better things to do tonight than die.
Credits by aurelianito · 2010-03-16 11:51 · Score: 5, Informative

From TFA:

An exploit writer at Core Security Technologies has discovered a serious vulnerability that exposes users of Microsoft's Virtual PC virtualization software to malicious hacker attacks.
I would like to add that the exploit writer at Core Security Technologies that discovered this vulnerability is Nicolás Economou and congratulate him on the great work he has made.
Disclaimer: I also work at Core
Priorities, priorities - oh, wait! Policy: by symbolset · 2010-03-16 13:40 · Score: 4, Informative

When we face a choice between adding features and resolving security issues, we need to choose security.

- Bill Gates, January 16, 2002 .

--
Help stamp out iliturcy.
Not a vulnerability by poppycock · 2010-03-16 18:44 · Score: 3, Informative

This is really a vulnerability in any meaningful sense of the word. Rather, this means that certain advanced protections that Windows uses are less effective in a Virtual PC. Microsoft is actually in a leading postion when it comes to memory protection features as compared to anyone this side of OpenBSD.
What isn't someone issuing an "advisory" that the MacOS implementation of things like GS, ALSR, early-heap-termination and SafeSEH are either weak or nonexistent?
ASLR could use more entropy. Stack coookies could be present in every function, instead of just some. Every defense can be improved, and I don't think Microsoft has ever claimed that ASLR or GS is a reason NOT to produce a patch.
IMHO, Microsoft is completely correct to not issue a bulletin for this since that is an indication of a severe issue. And Core is free to make the issue known publically as well, and people can decide for themselves. But the Slashdot title is midleading at best.