MS Virtual PC Flaw Defeats Windows Defenses

← Back to Stories (view on slashdot.org)

MS Virtual PC Flaw Defeats Windows Defenses

Posted by kdawson on Tuesday March 16, 2010 @11:01AM from the around-the-maginot-line dept.

Coop's Troops writes "An exploit writer at Core Security Technologies has discovered a serious vulnerability that exposes users of Microsoft's Virtual PC virtualization software to malicious hacker attacks. The vulnerability, which is unpatched, essentially allows an attacker to bypass several major security mitigations — DEP, SafeSEH and ASLR — to exploit the Windows operating system. As a result, some applications with bugs that are not exploitable when running in a not-virtualized operating system are rendered exploitable if running within a guest OS in Virtual PC."

141 comments

Which only goes to show, it's always something by koko · 2010-03-16 11:05 · Score: 1, Insightful

If you want security, unplug the 'net. You ain't gonna get it any other way.
1. Re:Which only goes to show, it's always something by WrongSizeGlass · 2010-03-16 11:32 · Score: 4, Funny
  
  So Virtual PC is virtually as secure (or insecure) as a real PC? If you wanted the security of a real PC then they should have, um, well ... never mind.
2. Re:Which only goes to show, it's always something by Anonymous Coward · 2010-03-16 21:27 · Score: -1, Flamebait
  
  I wonder why Slashdot doesn't point out that all the Windows security features that have been 'defeated' have either no analogue in Linux/Mac OSX or a piss-poor imitation that doesn't actually secure anything.
3. Re:Which only goes to show, it's always something by Anonymous Coward · 2010-03-17 01:43 · Score: 0
  
  Flamebait? My ass, it's flamebait. Seriously, people - LOOK at the operating systems available. Take any of the open source *nix OS's. There are thousands of script kiddies, and thousands more serious people who would LIKE to get into whichever *nix box they happen to stumble over. Are they successful? Not very.
  Yeah - go ahead, and blame it on that old boogeyman, "market share". Tell me, "No one uses Linux, or Unix, or BSD, so no one even tries to break into them!" Now, try it again, with a straight face. There are more than enough *nix boxes worldwide, that if some genius managed to come up with a realiable method of compromising them, he could harvest enough data to make him freaking RICH!! Rich beyond his wildest dreams. Unless, and until, he got caught, of course.
  Market share has little to no value to the next class of people, who just want the notoriety of having broken *nix like security. There may be fewer thousands such people in the world, but there are STILL thousands of them. They want bragging rights, so bad, they would give up some random bit of their anatomy, just to have their name to be synonymous with "ROOT!"
  If the above AC is flamebait, then I'm the king of fucking Siam, and a direct descendant of Jesus Christ, and I'll win the next presidential election in the United States.
  Go back, read AC's post again, then refute it. I dare you, people.
Linux by dawilcox · 2010-03-16 11:05 · Score: -1, Offtopic

Every time I read an article like this, it gives me a smug face wondering why more people don't switch.
1. Re:Linux by customizedmischief · 2010-03-16 11:17 · Score: 5, Insightful
  
  Every time I read an article like this, it gives me a smug face wondering why more people don't switch.
  
  Swtch to what, VMware or Parallels?
  
  --
  Oops.
2. Re:Linux by Stormwatch · 2010-03-16 11:18 · Score: -1, Troll
  
  Maybe people are so used to a buggy, bloated, vulnerable operating system that they assume other systems will be just as awful.
  
  --
  Circumcision is child abuse.
3. Re:Linux by snowraver1 · 2010-03-16 11:21 · Score: 5, Insightful
  
  Answer: Because their apps run on windows. That's all there is to it.
  
  --
  Copyright 2010. All rights reserved. This comment may not be copied in any way including, but not limited to caching.
4. Re:Linux by Lunix+Nutcase · 2010-03-16 11:26 · Score: 1, Redundant
  
  Because Linux doesn't have the apps they want? They don't want to have to relearn years of knowledge built up using Windows? That it's not as simple to switch an entire OS and migrate all your programs and data as people like you would have people believe?
5. Re:Linux by Mike+Buddha · 2010-03-16 11:29 · Score: 0, Troll
  
  Ahh yes, come one, come all to Debian Island where all the computers are free and none of them work quite right.
  
  --
  by Mike Buddha -- Someday the mountain might get him, but the law never will.
6. Re:Linux by Hamsterdan · 2010-03-16 11:45 · Score: 5, Informative
  
  Virtualbox.
  
  --
  I've got better things to do tonight than die.
7. Re:Linux by Anonymous Coward · 2010-03-16 11:56 · Score: -1, Flamebait
  
  Well, if you are a linux user, didn't you already have a smug face?
8. Re:Linux by Anonymous Coward · 2010-03-16 12:02 · Score: 0
  
  So apparently smug isn't isolated to just macfags and prius drivers.
9. Re:Linux by Anonymous Coward · 2010-03-16 12:09 · Score: -1, Troll
  
  Are you modding this guy troll because he's upset people insist on using this piece of sh* called Windholes?
  Is that what /. has come to now?
  Maybe malcontents should pack things and look for a Linux site to whine about M$, eh?
10. Re:Linux by Anonymous Coward · 2010-03-16 12:22 · Score: -1, Troll
  
  Because they don't want to use your busted POS OS? Because a bug that will effect far less than 1% of all Windows users isn't a cause to change OSes? Because you suck more dicks than a gay bathhouse full of Mac users?
11. Re:Linux by Anonymous Coward · 2010-03-16 12:22 · Score: 0
  
  Wow, there sure are a lot of butthurt winfags in this thread.
  When are you going to get tired of paying to be screwed?
12. Re:Linux by smash · 2010-03-16 12:31 · Score: 0, Flamebait
  
  Because a large proporrtion of the userbase are smug, albeit clueless assholes?
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
13. Re:Linux by Anonymous Coward · 2010-03-16 13:43 · Score: 0
  
  When are you going to get tired of paying to be screwed?
  Apparently you haven't met my ex-wife, or you'd already know the answer to that.
14. Re:Linux by Anonymous Coward · 2010-03-16 13:49 · Score: -1, Troll
  
  I get my copy of Windows from MSDN through an account my company purchases. I don't pay anything and I get something better than a busted POS like Loonix.
15. Re:Linux by Anonymous Coward · 2010-03-16 14:20 · Score: 0
  
  Ahh yes, come one, come all to Debian Island where all the computers are free and none of them work quite right.
  At least the computers are free. That's more than you can say with Windows.
16. Re:Linux by Anonymous Coward · 2010-03-16 14:48 · Score: 0
  
  They're paying so that their shit actually works, as opposed to running broken copies of Windows.
17. Re:Linux by Tanktalus · 2010-03-16 15:02 · Score: 1
  
  I know, I know. And yet, I'm not entirely convinced that it's better to have the apps you want/need while helping to send spam, and have your personal information sold to not just the highest bidder but to all bidders, running Windows, than it is to be secure on Linux, and be forced to make do with either no app, or simply a different app (not always worse) and have to learn something different.
  It's a matter of priorities. Do I want to a) fight Windows security and have the apps I want, b) ignore security and have the apps I want, or c) have security, but have to learn some other app, or maybe do without that app.
  Personally, I run XP inside VirtualBox on Linux, and only the apps I *must* run on Windows are in the virtual machine, everything else I do on Linux, even if it's not quite as polished as the Windows alternative, because when you combine the polish of the drivers with the security of the OS, I still think the Linux side comes out ahead. And I run git drivers for my ATI video card - not exactly the most stable way to go.
18. Re:Linux by FragHARD · 2010-03-16 15:12 · Score: 1
  
  Ain't that the truth.......I like to get things done not try to get things done.
  
  Disclaimer: This post made on OSX 10.5.8 running VirtualBox 3.1.2
  
  --
  FragHARD or don't frag at all
19. Re:Linux by Anonymous Coward · 2010-03-16 15:24 · Score: 0
  
  So you're still paying for earlier screwings years after the fact, eh?
20. Re:Linux by icannotthinkofaname · 2010-03-16 15:29 · Score: 1
  
  When are you going to get tired of paying to be screwed?
  I don't think we can get an estimate on that. Given The Oldest Profession, and given that I'm fairly certain that prostitutes still exist in some parts of the world, I'd say we've been happy to pay to be screwed for a very long time, with no data ever suggesting that we'd grow tired of it.
  
  --
  Let q be a radix > 1. I am in ur base-q, killing 10 d00ds.
21. Re:Linux by Mr2001 · 2010-03-16 15:53 · Score: 2, Insightful
  
  It's a matter of priorities. Do I want to a) fight Windows security and have the apps I want, b) ignore security and have the apps I want, or c) have security, but have to learn some other app, or maybe do without that app.
  The whole point of having a computer is to run the programs you want to run. If you're going to have to "do without", you might as well unplug the damn thing (thereby achieving perfect security).
  
  --
  Visual IRC: Fast. Powerful. Free.
22. Re:Linux by RMS+Eats+Toejam · 2010-03-16 16:05 · Score: 1, Insightful
  
  Slashdot: Where the truth is flammable.
  
  --
  Turning to a Linux advocate for thoughts on Microsoft is like asking Hitler how he felt about the Jews.
23. Re:Linux by Anonymous Coward · 2010-03-16 16:44 · Score: 0
  
  And yet, I'm not entirely convinced that it's better to have the apps you want/need while helping to send spam, and have your personal information sold to not just the highest bidder but to all bidders, running Windows, than it is to be secure on Linux, and be forced to make do with either no app, or simply a different app (not always worse) and have to learn something different.
  Personally, I run XP inside VirtualBox on Linux,
  A pirated version no doubt.
  
  because when you combine the polish of the drivers
  
  What polish? Except for some piece of hardware that might be 15+ years old, most of the OSS drivers provide suboptimal features and performance compared to the proprietary or Windows equivalent drivers.
  
  And I run git drivers for my ATI video card - not exactly the most stable way to go.
  Which goes to show that you're trolling.
24. Re:Linux by rdnetto · 2010-03-16 19:20 · Score: 1
  
  Seriously, why is the parent modded funny? I switched to VirtualBox after MS bastardized Virtual PC for Win7, and haven't looked back. Admittedly, having all the media registered in a central database is annoying compared to the XML and path based approach of VirtualPC, but apart from that it's a solid product.
  
  --
  Most human behaviour can be explained in terms of identity.
25. Re:Linux by Anonymous Coward · 2010-03-16 20:52 · Score: 0
  
  Do I want to a) fight Windows security and have the apps I want, b) ignore security and have the apps I want, or c) have security, but have to learn some other app, or maybe do without that app.
  I put forward an alternative use Windows because it has the apps you want and stop being such an asshat thus not worrying about security.
  I've used Windows since the DOS/3.1 days when I didn't know much all the way up to Windows 7 now and I have never once been hacked, infected by a virus or had any banking information used fradulently. The most I've ever done is use an anti-virus/malware app (currently MS Security Essentials) and not stupidly clicked links in dodgy emails/websites. In my eyes that is not fighting Windows that's doing what I want when I want and getting along just fine.
26. Re:Linux by anss123 · 2010-03-16 20:53 · Score: 1
  
  VirtualBox is great, only drawback is that some of it's features (USB for instance) have had BSODy issues in the past. I also recommend using VT/AMDV mode all the time when running XP in a VM, VirtualBox hardlocks the host after about a month running XP without VT on my system.
  
  The central database for media is a little annoying but only until you get the media you usually use in it and then you can pretty much forget about it. Have actually come in handy sometimes when I need to figure out on what disk and folder a CD image is stored.
  
  Oh, and never run Virtual PC and VirtualBox at the same time unless you make sure only one of em uses the VT feature.
27. Re:Linux by somersault · 2010-03-16 21:39 · Score: 1
  
  Could run his VM without a network interface. Unless he is using the VM for Outlook of course.
  
  --
  which is totally what she said
28. Re:Linux by somersault · 2010-03-16 21:49 · Score: 1
  
  Depends on what "programs and data" you need. Now that most of my development is on web apps rather than standalone apps, it's pretty damn trivial for me to switch between OSes. I use a VM for the very occasional bout of Windows development I have to do, and Remote Desktop for server administration.
  And your "years of knowledge built up using Windows"? Gimme a break. Those "years of knowledge" for most (but obviously not all) people amount to how to do a right click and where to find "My Documents". OSX and Ubuntu are very easy for the average person to pick up even if they're used to Windows, because all they're ever going to do is browse Facebook and play flash games.
  
  --
  which is totally what she said
29. Re:Linux by imakemusic · 2010-03-16 22:46 · Score: 1
  
  Do I want to a) fight Windows security and have the apps I want, b) ignore security and have the apps I want, or c) have security, but have to learn some other app, or maybe do without that app.
  d) actually get some work done using apps which are only available for windows meaning I occasionally have to deal with a virus or other security issue but it's rarely an issue.
  My answer is d.
  
  --
  Brain surgery - it's not rocket science!
30. Re:Linux by Runaway1956 · 2010-03-17 01:52 · Score: 1
  
  "VirtualBox hardlocks the host after about a month running XP without VT on my system. "
  Elaborate, please? I've never had a hardlock with my VBox machines. You're saying that one month continuous uptime on the VM will do that? Do you have any idea why?
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
31. Re:Linux by Runaway1956 · 2010-03-17 02:02 · Score: 1
  
  That helps to emphasize what some of the developers are doing with ChromeOS and similar offerings.
  More than half the people in the world who own computers do nothing but check email, play a few flash games, do some online shopping, and other similar frivolities. Most people don't need multi-Ghz CPU's, super Fps video cards, terrabytes of hard disk space, or more than a gig of memory. And, most people don't need all the utilities, games, services, etc that are found in any standard Windows installation.
  *nix. It just makes sense.
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
32. Re:Linux by Runaway1956 · 2010-03-17 02:07 · Score: 1
  
  A lot of people make that claim. The number of people who have NEVER had ANY security issue with Windows is simply amazing, if we are to believe all those claims.
  Oddly, McCaffee, Symantec, and all the rest continue to make money hand over fist, and tens of thousands of computer shops in the US have steady, reliable incomes, thanks to the various security issues.
  I can't possibly say whether this particular AC is full of shit or not, but whenever I hear such a claim, I can't help wondering.
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
33. Re:Linux by Anonymous Coward · 2010-03-17 02:49 · Score: 0
  
  Oddly, McCaffee, Symantec, and all the rest continue to make money hand over fist, and tens of thousands of computer shops in the US have steady, reliable incomes, thanks to the various security issues.
  The AC never said that these security issues don't exist, only that he hasn't had them. And he said he uses exactly the sort of software you've mentioned here.
  So, the AC uses common sense and software that is specifically designed to protect him from these security issues. Sounds pretty reasonable to me that he hasn't had a problem.
34. Re:Linux by anss123 · 2010-03-17 03:06 · Score: 1
  
  Elaborate, please? I've never had a hardlock with my VBox machines. You're saying that one month continuous uptime on the VM will do that? Do you have any idea why?
  When VT is disabled my system will sometimes hardlock. This happens rarely so it's difficult to assert for certain if vbox was the guilty party but it only happened while vbox was running and was sometimes foreshadowed by vbox first crashing and the host following shortly.
  
  Fortunately there's no reason not to activate VT unless you don't have it or run another VM that needs VT alongside vbox.
35. Re:Linux by Anonymous Coward · 2010-03-17 04:13 · Score: 0
  
  I've complained and then what?
  The OP was remodded offtopic instead of troll (how is it OT? Did you hire an M$ employee to moderate posts?!?)
  And my post was labeled troll... I've come in defense of another guy -- which btw I don't know -- and this is trolling?
  Am I supposed not to question /.?
  BTW, this is not OT IMHO. And not funny, too.
36. Re:Linux by trapnest · 2010-03-17 06:42 · Score: 1
  
  Because Linux isn't ready for the desktop.
37. Re:Linux by trapnest · 2010-03-17 06:46 · Score: 1
  
  You've already posted something in this discussion. Damnit, I wanted to moderate you +1, Funny.
38. Re:Linux by Kalriath · 2010-03-17 12:59 · Score: 1
  
  A lot of people make that claim. The number of people who have NEVER had ANY security issue with Windows is simply amazing, if we are to believe all those claims.
  Yes, and that's because for that lot of people it's probably true. I've never had this sort of problem with Windows either. The one time in my youth I first encountered "CoolWebSearch" it took me some time to discover it and how to fix it, and since then nothing.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
39. Re:Linux by QuietObserver · 2010-03-17 12:59 · Score: 1
  
  I run XP inside VirtualBox (locked out of my network) on my own machine for the one Windows-only software suite I absolutely must have, too. Never had a serious problem with my Windows system or with my host machine (though Windows does have some instability, doesn't have sound (which is okay, since I never use it for multimedia anyway), and one of my Windows apps doesn't communicate with the Ubuntu clipboard very well). And I still end up with more grief from Windows overall than I do my Ubuntu machine!
40. Re:Linux by Kalriath · 2010-03-17 13:00 · Score: 1
  
  And if that's the case, you'd realise you aren't licensed to run Windows. MSDN licenses (without the BizSpark, Empower or WebsiteSpark exemptions) are for Development use only. Not production.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Are VMware, Parallels, and VB also vulnerable? by postbigbang · 2010-03-16 11:06 · Score: 1

Makes one wonder if the disabling of these crack-thwarting mechanisms are also killed in other desktop hypervisors. Bad news.

--
---- Teach Peace. It's Cheaper Than War.
1. Re:Are VMware, Parallels, and VB also vulnerable? by cbhacking · 2010-03-16 11:49 · Score: 3, Interesting
  
  It's probably just a bug in the way VirtualPC handles the virtual TLBs or some such. It's not even present on Hyper-V, also from Microsoft, so I think the danger here is pretty low.
  It's not like this actually makes the host OS vulnerable, either. I doubt it can even crash the VM software, although it could certainly lead to crashing the virtualized OS.
  
  --
  There's no place I could be, since I've found Serenity...
2. Re:Are VMware, Parallels, and VB also vulnerable? by postbigbang · 2010-03-16 11:55 · Score: 2, Interesting
  
  That's what I'm wondering. Does randomized address still occur on VPC7's competitors? And if VPC is this way, then does Hyper-V thwart host address randomization, and so on? What's the difference in architecture that allows VPC to thwart this, and others go merrily on their way-- with whatever memory ring permitting the randomization of kernel access? Hmmmmm.
  
  --
  ---- Teach Peace. It's Cheaper Than War.
3. Re:Are VMware, Parallels, and VB also vulnerable? by icebike · 2010-03-16 12:38 · Score: -1, Flamebait
  
  Makes me wonder why a company with the name of "Core Security Technologies" has an exploit writer on staff.
  
  --
  Sig Battery depleted. Reverting to safe mode.
4. Re:Are VMware, Parallels, and VB also vulnerable? by sjames · 2010-03-16 16:21 · Score: 1
  
  So as long as it's just the guests providing the critical services that get crashed or subverted, it's OK since the mere container for those guests is OK?
  That doesn't make a lot of sense.
5. Re:Are VMware, Parallels, and VB also vulnerable? by Anonymous Coward · 2010-03-16 16:55 · Score: 0
  
  There was an undisclosed proof-of-concept a while back I saw which allowed code in a VM to be executed on the host. The demonstration video opened Windows Calculator on a Vista host from an XP VM, and claimed that it worked on Player, Workstation and Fusion.
6. Re:Are VMware, Parallels, and VB also vulnerable? by palegray.net · 2010-03-16 19:13 · Score: 1
  
  Are you aware that the majority of security vendors employ such personnel? The most effective means of finding vulnerabilities like these is, oh I don't know, to attempt to exploit systems. Reference Internet Security Systems (now owned by IBM), several key members of which I used to have coffee with once or twice a week.
  
  --
  512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
7. Re:Are VMware, Parallels, and VB also vulnerable? by vegiVamp · 2010-03-17 00:08 · Score: 1
  
  A random guess would be that some developer took a few shortcuts so he could show off the performance improvements he made on the hypervisor.
  
  --
  What a depressingly stupid machine.
8. Re:Are VMware, Parallels, and VB also vulnerable? by Carnildo · 2010-03-17 09:11 · Score: 1
  
  It's OK because you can't step out of the sandbox. If the guest OS running the DNS server gets compromised, the compromise code can't step out of its sandbox and attack the guest OS running the webserver, or reach into the guest OS running the Active Directory server and grab the password list.
  An attack that can break out of a virtual machine is a much, much bigger problem than one that stays contained inside the VM. If a guest gets compromised, you restart it from a known-clean state. If the host gets compromised, you need to clean out and restart everything.
  
  --
  "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
9. Re:Are VMware, Parallels, and VB also vulnerable? by sjames · 2010-03-17 12:41 · Score: 1
  
  You're still missing the point, the CRITICAL SERVICE running on the guest OS is now vulnerable to attack, including slow and subtle corruption of the data. If the critical service dies or the data is corrupted to unusable, it hardly matters if the host OS is still OK.
  In other words, when all the gold comes up missing, how many people will be relieved to hear the vault isn't damaged?
10. Re:Are VMware, Parallels, and VB also vulnerable? by Carnildo · 2010-03-18 08:01 · Score: 1
  
  No, you're the one missing the point: Even though the gold in this vault has been replaced with pyrite, the gold in the next vault over is still fine.
  
  --
  "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
11. Re:Are VMware, Parallels, and VB also vulnerable? by sjames · 2010-03-18 08:26 · Score: 1
  
  Except that it too is subject to the weakened security. It may be full of gold now, but it could easily contain pyrite tomorrow, but the vault will be unharmed. Not much comfort.
This gets me every time by Ben4jammin · 2010-03-16 11:11 · Score: 4, Insightful

Arce said Core reported the flaw to Microsoft last August... Microsoft officials declined to comment until they had a chance to review Core’s advisory on the issue

So how many months do you need to review once you are told about it???
1. Re:This gets me every time by ircmaxell · 2010-03-16 11:19 · Score: 4, Interesting
  
  So how many months do you need to review once you are told about it?
  Simple. How many months will you give them before you go public?
  
  At the possibility of being flamebait here, how the heck does MS keep publishing products full of security holes? I know Linux and Mac have had their share of holes, but it seems as if every week there's a new announcement about some MS product that has either a 0 day flaw, or another MAJOR flaw? And even worse is their failure to deal with them in a reasonable amount of time! I mean 6 months to COMMENT on an advisory? That's ridiculous... Sure, they may have a lot of notices to work through, but if that's the case, hire more developers to deal with the security issues! They are out spreading the message that you can depend on MS products, and then leave gaping holes open for months... Not to long ago (within the month), they delayed a patch --well, wanted to anyway before they were called out on it-- for a 0-day in IE by 3 weeks, so that they could put it in a "planned update to IE"... If this was a popular open source project trying to pull this stuff, how quickly would a fork surface? Then again, it's all about placating the sheeple, right?
  
  --
  If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
2. Re:This gets me every time by Anonymous Coward · 2010-03-16 11:29 · Score: 2, Insightful
  
  The moment they put out a patch that breaks anything, or makes things worse the uproar will be greater. Its also amazing how it will work find in say, the spanish version, but not on the chinese versions. So many things and so many different products.
3. Re:This gets me every time by Mister+Whirly · 2010-03-16 12:05 · Score: 1
  
  Well, OS X has the luxury of knowing exactly what type of limited hardware set the system it will be running on is using, and not a lot of variety. Linux doesn't have to worry about breaking thousands of applications every time they update the core OS. Microsoft has neither of these luxuries. Microsoft is also king in the corporate desktop arena, and if a business application breaks, it will be far worse for them and the corporate application users compared to the way it currently is set up. And even with all of Microsoft's pre-testing on patches, smart admins always test them out in a non-production setting before green lighting them for the real thing.
  
  --
  "But this one goes to 11!"
4. Re:This gets me every time by msuarezalvarez · 2010-03-16 12:22 · Score: 2, Informative
  
  I've upgraded "linux" (OS, libs, and what not) literally thousand of times in the ca. 15 years I've been using it, and I doubt there were 5 times where I has a real problem with the many apps I use stopping working...
5. Re:This gets me every time by obarthelemy · 2010-03-16 12:28 · Score: 5, Insightful
  
  Let's play devil's advocate:
  MS has quite a lot of competing agendas:
  - keep backwards compatibility, v1. That means a bunch a old APIs, services, apps... Not only was security not much of a concern back when those were written, but any change in the environment risks unveiling new vulns. These pooor guys are actually supposed to maintain IE 6, IE7, and IE 8.
  - keep backwards compatibility, v2. MS can't really change the security model or the way they expose it without, again, breaking apps. Since NT, Windows's security model is not bad. But MS can't really implement it fully (no apps changing system-wide ressources, no writing outside of a handful of approved dirs...) without, again, breaking apps.
  - add features
  - maintain an incredibly wide array of software. MS = Oracle + Linux+ php + Apache + OOo + Firefox + ...
  So yes, I really hate the pain that managing MS systems is. I, and they, know they could make things better by breaking a lot of apps. They choose not to... prolly because their customers want them not to. I can understand that.
  
  --
  The Cloud - because you don't care if your apps and data are up in the air.
6. Re:This gets me every time by Rockoon · 2010-03-16 12:29 · Score: 1
  
  So there were times when you upgraded Linux and software broke?
  
  Thats his point. When Microsoft breaks things to fix something else, people are in in arms.
  
  --
  "His name was James Damore."
7. Re:This gets me every time by peragrin · 2010-03-16 13:11 · Score: 2, Interesting
  
  then with windows vista why didn't MSFT include an XP mode, than ran in it's own self contained section while using the higher security of a modern OS?
  MSFT is trying to maintain compatibly with single user OS's in a networked world and failing miserably. Apple simply included a backwards compatibility mode and with every release slowly stopped installing.
  
  --
  i thought once I was found, but it was only a dream.
8. Re:This gets me every time by Nikker · 2010-03-16 13:46 · Score: 1
  
  I understand in programming there is always a possibility of a bug creeping up but common, Microsoft is one of the largest companies in the world, they have been working on the operating system for 20+ years now. They higher the worlds top PHD's to engineer the whole thing and pay them accordingly. Even the code monkeys are MIT grads with specialties in these core systems. When as a company you do one thing and get as much money as they do to do it there is an expectation of them and when you claim to be the best that expectation should be even greater. For so many similar problems to keep cropping up all directed at taking over your computer you have to admit this is becoming a bit ridiculous. It's just like the idea of the dam that springs a leak and each time you plug one another sprouts, but this has been happening since network connectivity began.
  
  --
  A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
9. Re:This gets me every time by MichaelSmith · 2010-03-16 14:00 · Score: 1
  
  I could make my wife's car theft proof by removing cables from the engine management system and bolting it to the garage floor but then she would never be able to drive it.
  
  --
  http://michaelsmith.id.au
10. Re:This gets me every time by ircmaxell · 2010-03-16 14:16 · Score: 1
  
  In the past 5 years of managing both production linux boxes and Windows boxes, I can honestly say I've seen more Windows updates break things than Linux updates break things. Typically, it's due to some rogue program that was either misusing an API, or relied on string results returned from a particular API call (rather than using the proper API, or a constant)... Who do I blame for that? I don't blame MS. I blame the offending software vendor. It's typical practice (that I follow) to wait on all non-critical security patches for potentially a few months to see if there were any issues reported from it. After that point, a quick test in staging, and it's rolled out. Personally, I'd rather they break things from time to time than have my network compromised because they decided to take their sweet ass time creating a fix for it... Something breaks == me either rolling back the change, or spending a day or two trying to fix it. A compromise == a lot more of a headache (First there's detecting the intrusion, rolling backups, investigation, mitigation, etc etc etc)... So I'd MUCH rather them get me a SECURITY fix sooner than later...
  
  --
  If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
11. Re:This gets me every time by ircmaxell · 2010-03-16 14:34 · Score: 2, Insightful
  
  Don't forget, you're talking about a monolith of a company. They have more than enough resources to pour into security. Yet they don't... I refuse to cut them any slack, when open source projects which are powered by volunteers (I know not all are, but a significant number are) can produce (and do produce) results SIGNIFICANTLY faster than MS typically does... If a bunch of volunteers with VERY limited resources can do it, why can't a company with practically unlimited resources handle it?
  
  --
  If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
12. Re:This gets me every time by Anpheus · 2010-03-16 15:32 · Score: 1
  
  Mythical man month much?
  Pouring more resources into security doesn't make it happen. Sorry.
13. Re:This gets me every time by Josh04 · 2010-03-16 15:45 · Score: 1
  
  Actually, they're doing remarkably well on the compatibility one.
14. Re:This gets me every time by ircmaxell · 2010-03-16 15:46 · Score: 2, Informative
  
  Pouring resources into one particular project doesn't work. But pouring resources into a pile of otherwise unrelated projects does. IF it's a problem of overload (where they have 1000 outstanding issues to investigate/fix, and less than 1000 people to work on it, you could gain something by adding resources... The "Mythical Man Month" is about adding resources to one project (where everyone's work depends on everyone else's)...
  
  --
  If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
15. Re:This gets me every time by Mr2001 · 2010-03-16 15:57 · Score: 2, Insightful
  
  then with windows vista why didn't MSFT include an XP mode, than ran in it's own self contained section while using the higher security of a modern OS?
  Windows 7 Professional/Ultimate includes exactly that. But it's implemented using Virtual PC, which is where this flaw was discovered.
  
  --
  Visual IRC: Fast. Powerful. Free.
16. Re:This gets me every time by drsmithy · 2010-03-16 16:47 · Score: 0, Troll
  
  They have more than enough resources to pour into security. Yet they don't... I refuse to cut them any slack, when open source projects which are powered by volunteers (I know not all are, but a significant number are) can produce (and do produce) results SIGNIFICANTLY faster than MS typically does... If a bunch of volunteers with VERY limited resources can do it, why can't a company with practically unlimited resources handle it?
  It's pretty easy to patch software quickly when your testing and QA process barely extends past "does it compile".
17. Re:This gets me every time by Anpheus · 2010-03-16 19:45 · Score: 1
  
  It's not about fixing 1000 issues, if you tackle security like that, you'll be fixing 1000 issues every month until the end of time. And your problem will grow as your company and the amount of code you write grows. So theoretically you could eventually break even, but the worst security issues will be the ones you don't know about, the ones you can't measure in your tickets closed per month metric. So what if you closed 1000 bug tickets in a month? Anyone can do that, how about you go an entire month without a single bug ticket?
  That's where we come to a mythical man month problem. There's only so much money and people you can throw at security before you come up against the fundamental problem that security is a group effort, and is defined by a process that leads to fewer vulnerabilities, fewer bugs overall.
  I don't mean to be an apologist for Microsoft, they've been atrocious on the past and perhaps they are merely mediocre now. But the fact remains that you can't simply throw money at fixing vulnerabilities and have them go away. It doesn't matter how good your "vulnerability-checkers" are if they can't keep up with the hundred times larger number of coders you have writing bad code on a daily basis.
  tl;dr: you don't want people who can close bug tickets, you want to hire very smart, very disciplined people and empower them to create a process whereby bug tickets and vulnerability cases are never opened. This is ultimately a more difficult problem than simply throwing time and money at fixing bugs. Doubling your investment will not halve your vulnerabilities.
18. Re:This gets me every time by pinkushun · 2010-03-16 21:06 · Score: 1
  
  True that. Renting an OS (yes you don't buy the OS from MS), you hold the owners accountable for bad shit happening. Open source plays less point-the-finger and more help-another.
19. Re:This gets me every time by anss123 · 2010-03-16 21:22 · Score: 1
  
  At the possibility of being flamebait here, how the heck does MS keep publishing products full of security holes?
  
  Because many security flaws are in old software - which they aren't "pushing" any more. Today's flaw is a exception but requires a user that use XP mode in such a way that an attacker can get at it (say - if you're running an old insecure version of Firefox in XP mode) which, you have to be honest here, is not all that likely since XP mode will be more used for old games and business apps.
  
  As for the the "0day flaw" you mentioned, if it was an Open Source project you'd likely been asked to update to IE8 instead of whining about them pushing insecure software
20. Re:This gets me every time by Anonymous Coward · 2010-03-16 22:35 · Score: 0
  
  The problem is that "business applications" suck in general. They are the sorts of applications nobody wants to do, they get done forgotten then when they dont work hell breaks loose because the entire business model of the company may be failing.
  Think, billing system for a phone operator. It just has to work. But its in the domain of businesspeople nobody thinks of even maintaining it until its so broken there's just almost nothing that can be done.
21. Re:This gets me every time by ircmaxell · 2010-03-17 00:43 · Score: 1
  
  Well, that's quite fair... Perhaps then it's time for MS to invest the resources needed to revamp their development process (Changing policy and workflow, perhaps firing some people and hiring others, etc). Either way, I think at least part of my OP is correct, in that they have the resources needed to change things to make it better. Yet they haven't (well, at least that the public has seen)...
  
  --
  If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
22. Re:This gets me every time by Anpheus · 2010-03-17 05:10 · Score: 1
  
  Well then we'll have to agree to disagree. I think Vista was an important and painful step forward for security, and that Windows 7 is probably about as secure as Linux 2.6.x. (Nothing can stop a user from wanting to see the dancing bunnies, etc.)
  In Linux for example, gksudo is not a secure way to enter your password, and neither is entering your password into a sudo prompt in a shell. In Windows, you'd need to have already exploited the computer in order to read a UAC prompt.
23. Re:This gets me every time by ircmaxell · 2010-03-17 05:31 · Score: 1
  
  Just for clarification, I wasn't talking about that kind of security vulnerability. I'm talking about true zero days that require no unusual action on the part of the user. Such as the case of simply vising an infected site, or a remote exploit. For what you are talking about, I agree 100%...
  
  --
  If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
24. Re:This gets me every time by Anpheus · 2010-03-17 06:00 · Score: 1
  
  I think it's important to remember that the vast majority of online linux boxes are going to be servers which are already locked down, being run by at least semi-competent admins and probably with almost all the ports blocked except 80, 443, 21, an SSH port, etc. Essentially, they have a very small surface area, and even if there was a zero day, it's very easy for you to say "ah, that's not Linux's fault, that's Apache's fault. Even running OpenBSD would not have saved them."
  So it's very hard to compare "Windows" to "Linux", and even moreso when you compare surface area exposed by the average computer running either. That's not even taking into account the relative proportions.
25. Re:This gets me every time by trapnest · 2010-03-17 06:54 · Score: 1
  
  As long as by help-another (what) you mean:
  1. Works for me
  2. Not my distro
  3. Did you read the man page?
  
  Then yeah, Linux has that down.
Mac OS X by Anonymous Coward · 2010-03-16 11:16 · Score: -1, Troll

Yes. I've always wondered why more people don't switch to a better OS.
1. Re:Mac OS X by Anonymous Coward · 2010-03-16 11:45 · Score: -1, Troll
  
  Because some of us aren't men who have hot, hairy, mustachioed, sweaty, musky, anal, oral, scrotum-on-scrotum flapping, Elton John listening, gay bar dancing, San Francisco living, West Hollywood visiting, Hillcrest dining, lisping, cowboy-walking, nipple-piercing, Palm Springs vacationing, pride parade attending,
  
  sex with other men.
2. Re:Mac OS X by Anonymous Coward · 2010-03-16 12:15 · Score: 0
  
  Mod up this EPIC LULZ!
3. Re:Mac OS X by PopeRatzo · 2010-03-16 13:29 · Score: 2, Funny
  
  sex with other men.
  Not all of us can afford Macs.
  
  --
  You are welcome on my lawn.
4. Re:Mac OS X by trapnest · 2010-03-17 06:41 · Score: 1
  
  I wish I had mod points left to give everyone in this read a +5 Funny.
Ugh, this isn't good. by mlts · 2010-03-16 11:17 · Score: 4, Informative

The good news is that this doesn't affect the big iron (Hyper-V). However, for people who have Windows 7 and XP mode, using it for Web browsing, this will cause them a world of hurt.
Since this essentially doesn't affect servers, I'm going to recommend to people that they move to VMWare Workstation if they want commercial support, or VirtualBox if they desire an open source solution. Either one of these has as many features as VirtualPC (although VirtualPC has one nice advantage -- it drops changes to the undo disk fast compared to the 2-3 minutes VMWare does.)
A hole in a hypervisor is a really bad thing. A lot of people use VMs for honeypots, and this would cause unintended infections, or other damage, perhaps catastrophic.
1. Re:Ugh, this isn't good. by WrongSizeGlass · 2010-03-16 11:38 · Score: 2, Funny
  
  Dude, like, stop being so reasonable - you're gonna park a cloud over our MS bashing and 'I told you so' evangelism. It's not everyday we get to trash MS over a security issue.
2. Re:Ugh, this isn't good. by Anonymous Coward · 2010-03-16 11:41 · Score: 4, Informative
  
  The hole is not in the hypervisor. The GUEST OS is the one that is compromised, not the OS running the VM.
3. Re:Ugh, this isn't good. by cbhacking · 2010-03-16 11:46 · Score: 5, Informative
  
  Honeypots are designed to get hit. This bug doesn't make the host system vulnerable, it just means that the client OS is easier to exploit.
  If it worked on Hyper-V, this would be a big problem; that's a server-level technology where even the clients are expected to remain secure. On the other hand, Virtual PC isn't even a hypervisor; it requires a full OS onderneath it, running itself as just another Windows app. Up until 2007 didn't even require hardware support for virtualization.
  
  --
  There's no place I could be, since I've found Serenity...
4. Re:Ugh, this isn't good. by Anonymous Coward · 2010-03-16 12:12 · Score: 0
  
  Yeah, its every OTHER day we get to trash them for a security issue!
5. Re:Ugh, this isn't good. by The+MAZZTer · 2010-03-16 12:13 · Score: 1
  
  2007 doesn't require hardware virtualization either, only the Windows 7-only version does.
6. Re:Ugh, this isn't good. by PingPongBoy · 2010-03-16 12:15 · Score: 1
  
  On the other hand, Virtual PC isn't even a hypervisor; it requires a full OS onderneath it, running itself as just another Windows app
  So ... install Virtual PC in a Virtual PC virtual machine.
  I haven't tried, as it is slow enough
  
  --
  Know your pads. One time pad: good for cryptography. Two timing pad: where to take your mistress.
7. Re:Ugh, this isn't good. by X0563511 · 2010-03-16 13:45 · Score: 4, Insightful
  
  If someone is using VirtualPC for a honeypot, they are an idiot.
  The idea of a honeypot is that it is indistinguishable from "the real thing."
  That this flaw even exists means it is identifiable as a virtual machine.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
8. Re:Ugh, this isn't good. by RulerOf · 2010-03-16 14:03 · Score: 1
  
  Yes, we're usually too busy trashing yesterday's security issue that today's tends to *whoosh* right over our heads.
  
  --
  Boot Windows, Linux, and ESX over the network for free.
9. Re:Ugh, this isn't good. by RulerOf · 2010-03-16 14:07 · Score: 1
  
  2007 doesn't require hardware virtualization either, only the Windows 7-only version does.
  There was a bit of upset about that point when XP mode got reviewed. Since it's based on VPC and not Hyper-V, it shouldn't require x64 and AMD-V or Intel-VT, but for some reason, it does. A lot of people considered that to be all sorts of bullshit because Intel uses their VT feature to differentiate product lines; I.E., moderately priced business desktops don't support XP mode. Of course, that bullshit is actually Intel's fault, so I tend to cast a more glaring eye at them when I think about it.
  
  --
  Boot Windows, Linux, and ESX over the network for free.
10. Re:Ugh, this isn't good. by NSIM · 2010-03-16 14:23 · Score: 1
  
  And what makes you think that other desktop hypervisors don't have similar vulnerabilities?
11. Re:Ugh, this isn't good. by John+Hasler · 2010-03-16 15:41 · Score: 1
  
  > VMWare Workstation if they want commercial support, or VirtualBox if they
  > desire an open source solution.
  You know very well that commercial support is available for Open Source.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
12. Re:Ugh, this isn't good. by Mr2001 · 2010-03-16 16:04 · Score: 3, Insightful
  
  A lot of people considered that to be all sorts of bullshit because Intel uses their VT feature to differentiate product lines; I.E., moderately priced business desktops don't support XP mode.
  Moral: if you're looking for something modestly priced, go with AMD processors. Not only are they cheaper, but nearly all the ones you can find today support virtualization.
  
  --
  Visual IRC: Fast. Powerful. Free.
13. Re:Ugh, this isn't good. by PFAK · 2010-03-16 16:26 · Score: 1
  
  It's a good thing this vulnerability doesn't allow the host system to be compromised, otherwise we'd be in real trouble!
  (AKA: Parent poster is wrong.)
  
  --
  
  Free means no restrictions, ironic the FSF's GPL forces restrictions, isn't it? What's your definition of free?
14. Re:Ugh, this isn't good. by cbhacking · 2010-03-16 17:01 · Score: 3, Interesting
  
  I actually had a chance to talk with one of the guys behind Wirtual PC (including the one that powers Virtual XP Mode) a few months back. His answer was that when MS started work on the Windows Virtual PC (WVPC, the current version) 3 years ago (roughly when VPC2k7 shipped), they contacted Intel and AMD and asked if they were going to offer hardware virtualization on all models going forward. Both companies answered Yes, so to save development and testing costs, the (large block of tricky) code that enabled vitrualization on CPUs without hardware support was cut from WVPC. Skip forward a couple years to WVPC getting ready for release, and... still a lot of Intel CPUs without support for virtualization. At that point it was too late to add the feature without delaying shipping, so they didn't.
  I asked whether they would add it in later, and he said they weren't planning to but might change their mainds if it became clear that this was a problem for enough of their customers. In the meantime, they were telling Intel to get its shit together the way it had said it would three years earlier, and he personally recommended going with AMD chips.
  On a side note, I didn't hear anything at all about it requiring x64. According to http://www.microsoft.com/windows/virtual-pc/download.aspx, it works just fine on x86.
  
  --
  There's no place I could be, since I've found Serenity...
15. Re:Ugh, this isn't good. by KillShill · 2010-03-16 17:55 · Score: 1
  
  And you can feel good about not supporting a monopolist.
  
  --
  Science : Proprietary , Knowledge : Open Source
16. Re:Ugh, this isn't good. by Anonymous Coward · 2010-03-16 20:12 · Score: 0
  
  or just a machine w/ DEP off ....
17. Re:Ugh, this isn't good. by julesh · 2010-03-16 20:58 · Score: 1
  
  The hole is not in the hypervisor. The GUEST OS is the one that is compromised, not the OS running the VM.
  The hole is in the hypervisor; if the hypervisor worked correctly, the guest OS would behave identically whether or not it was running as a guest.
  But, yes, it would appear that this flaw does not provide a way guest code can escape the virtual environment. Essentially: local privelege escalation bug restricted to virtual machine guests.
18. Re:Ugh, this isn't good. by Anonymous Coward · 2010-03-17 00:28 · Score: 0
  
  Note that VMWare's free Player now allows you to create VMs, not just use them
  Cheers
19. Re:Ugh, this isn't good. by tlhIngan · 2010-03-17 03:14 · Score: 1
  
  There was a bit of upset about that point when XP mode got reviewed. Since it's based on VPC and not Hyper-V, it shouldn't require x64 and AMD-V or Intel-VT, but for some reason, it does. A lot of people considered that to be all sorts of bullshit because Intel uses their VT feature to differentiate product lines; I.E., moderately priced business desktops don't support XP mode. Of course, that bullshit is actually Intel's fault, so I tend to cast a more glaring eye at them when I think about it
  You don't need x64 to have VT. I have an Atom-powered netbook that runs XP mode just fine (the Z520/30/etc have VT, but no x64. Given they only support something like 2GB of RAM, 64-bit is a waste).
  And the reason Intel uses VT as a differentiator is because their customers want it. Intel's got so much fab capacity, they can churn out custom chips for anyone, given a large enough order. Like how all Intel Macs have VT built in, or custom chips for the MacBook Air.
  AMD though has a fab capacity problem (and always had), so they can't really do the customization and turnaround that Intel can. This is to their advantage, since they can just fab the "best" chips with all features and go for a value proposition. Unfortunately, lack of fab capacity also limits their OEM usage somewhat - Apple, Dell and others do hate short orders, and probably want customized chips. Hell, I'm sure AMD wants to comply, but it would mean sacrificing some markets to meet demand ("Sorry AMD enthusiasts, but due to existing orders for this chip, you'll receive yours in a few months...").
  And actually, businesses do want XP mode. The main reason is their line-of-business applications are typically so poorly coded that they only work on XP (if they work on XP...). Budget netbooks though, can often skip VT. Ditto budget laptops with Core series rather than Atom.
Still can't exploit the host OS by cbhacking · 2010-03-16 11:41 · Score: 5, Informative

This is definitley a bug, but all it does is allow bypassing of security features in the virtualized system. In other words, you can exploit the VM client, but you still can't get at the host.
It's worth of a patch, but not of a panic. If you're virtualizing for security, you don't really care what happens to the virtual system (that's the point). If you're virtualizing so you can run an old OS, it's going to be full of holes anyhow. If you're virtualizing for any other reason, why the hell are you using consumer-grade virtualization software?

--
There's no place I could be, since I've found Serenity...
1. Re:Still can't exploit the host OS by ub3r+n3u7r4l1st · 2010-03-16 12:48 · Score: 1
  
  Most people don't utilize the function of an "undo disk" in VPC, which allows you to restore a VM to a previous state when you turn off the VM.
  So the infection will stay there, if somebody use it as a spam or phishing server, the FBI will be knocking on your door.
  
  --
  New Economic Perspectives
2. Re:Still can't exploit the host OS by pinkushun · 2010-03-16 21:22 · Score: 1
  
  Out of interest, I develop on two XP SP3 VPC's, against older systems that do not support XP+. It's a bit worrying, doing production work in these environments.
Credits by aurelianito · 2010-03-16 11:51 · Score: 5, Informative

From TFA:

An exploit writer at Core Security Technologies has discovered a serious vulnerability that exposes users of Microsoft's Virtual PC virtualization software to malicious hacker attacks.
I would like to add that the exploit writer at Core Security Technologies that discovered this vulnerability is Nicolás Economou and congratulate him on the great work he has made.
Disclaimer: I also work at Core
1. Re:Credits by pinkushun · 2010-03-16 20:54 · Score: 1
  
  Thanks for the good work Nicolás :)
2. Re:Credits by cachimaster · 2010-03-18 05:58 · Score: 1
  
  Awesome aurelianito, thanks for the clarification!
  And thanks to Nico too!
How many people even use VirtualPC/XP mode anyway? by jim_v2000 · 2010-03-16 12:10 · Score: 5, Insightful

I mean, talk about small targets. I highly doubt that any hacker would find it worth his time to attempt to exploit this. I mean, first you have to find someone running XP mode. Then you have to get them to open an executable (or exploit some other vulnerability to get onto the system) on the guest OS instead of the host OS. Then the person still has to have more than 2 gigs of RAM and be utilizing more than 2 gigs at once. Then, after all that, you only have access to the XP VM, which may or may not have anything of worth on it.

I'm not surprised that MS shrugged it off for now.

--
Don't take life so seriously. No one makes it out alive.
Mooslims are a plague on society by Anonymous Coward · 2010-03-16 12:33 · Score: -1, Offtopic

Allah is a lie. Mohammad was an opportunist.
Finally! Some good news! by Anonymous Coward · 2010-03-16 12:56 · Score: 0

This is just the kind of thing I can put my faith in.
Whats new... by joocemann · 2010-03-16 13:25 · Score: 1

Its like they do this on purpose...
Re:How many people even use VirtualPC/XP mode anyw by Anonymous Coward · 2010-03-16 13:39 · Score: 3, Interesting

I mean, talk about small targets. I highly doubt that any hacker would find it worth his time to attempt to exploit this. I mean, first you have to find someone running XP mode. Then you have to get them to open an executable (or exploit some other vulnerability to get onto the system) on the guest OS instead of the host OS. Then the person still has to have more than 2 gigs of RAM and be utilizing more than 2 gigs at once. Then, after all that, you only have access to the XP VM, which may or may not have anything of worth on it.
I'm not surprised that MS shrugged it off for now.
Sorry, nice try, but you don't seem to understand the issue here. You don't need to "get them to open an executable" - the point is that this vulnerability makes it possible to exploit existing vulnerabilities by bypassing mitigation techniques such as SafeSEH, DEP, and ASLR. It also has nothing to do with the amount of physical RAM on the system or how much is being used - the mentions of memory accesses refer to a process's virtual address space.
I agree that this doesn't have nearly the same impact as if it affected Hyper-V or other business-critical virtualization platforms, but if you're going to downplay its significance, at least know what you're talking about. ;)
Priorities, priorities - oh, wait! Policy: by symbolset · 2010-03-16 13:40 · Score: 4, Informative

When we face a choice between adding features and resolving security issues, we need to choose security.

- Bill Gates, January 16, 2002 .

--
Help stamp out iliturcy.
3 months before full disclosure by Anonymous Coward · 2010-03-16 13:52 · Score: 0

So how many months do you need to review once you are told about it?
Simple. How many months will you give them before you go public?
Three months (one quarter). Give them the benefit of the doubt for fixing things.
I'm all for full disclosure, but at least give people a fighting chance to patch their systems.

for a 0-day in IE by 3 weeks, so that they could put it in a "planned update to IE"
Which allows for large companies that depend on IE to do regression testing on one patch (or patch release cycle), instead of two or more.

If this was a popular open source project trying to pull this stuff, how quickly would a fork surface? Then again, it's all about placating the sheeple, right?
A popular open source project I think would also like a little breathing room to test things to make sure they got the fix right and that their code changes didn't break anything else.
Developers--who also work inside Microsoft--are people too, and making them sweat doesn't help anyone. Just because the suits are asshats doesn't mean you have to act like one too.
1. Re:3 months before full disclosure by ircmaxell · 2010-03-16 14:26 · Score: 1
  
  I'm all for full disclosure, but at least give people a fighting chance to patch their systems.
  I agree 110%. But I also want a patch in a reasonable amount of time (and that time is dependent on the risk). If it's a true 0-Day, I want the fix today. Not 3 months from now. I want it today (I know I won't get it today, but that doesn't mean it shouldn't be an ASAP thing)...
  
  Which allows for large companies that depend on IE to do regression testing on one patch (or patch release cycle), instead of two or more.
  I fully understand that. However, we're talking about a 0-Day fix here. And not a academic example, one that was in the real world rapidly causing breaches in major corporations. In that particular case, I'd much rather 2 updates than one. Heck, you could even tell users that another non-security update is coming in a few weeks and let them decide. But don't punish those of us who care about the security of our networks for those that are too lazy to do things multiple times...
  
  A popular open source project I think would also like a little breathing room to test things to make sure they got the fix right and that their code changes didn't break anything else.
  I would give a LITTLE breathing room, but taking potentially years to issue major security fixes is completely inexcusable. And if a project made a habit of taking that long to deliver patches, I would bet a significant amount of $$$ that the community would not tolerate that (I have seen projects fail for exactly that reason)...
  
  Developers--who also work inside Microsoft--are people too, and making them sweat doesn't help anyone. Just because the suits are asshats doesn't mean you have to act like one too.
  I do understand they are people. I am more attacking the corporate culture and policy that I am the developers. If they really don't have the ability to produce the results, then either they should find a new job, or MS needs to hire more or better developers. If it's that they are just to busy, then that's on management. 99.5% of the blame IMHO falls onto the shoulders of management (all levels). Something needs to change (because the system they are using now isn't working IMHO), and it doesn't look like anything is changing (perception is reality)... So it's someone's fault...
  
  --
  If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
Re:How many people even use VirtualPC/XP mode anyw by Antique+Geekmeister · 2010-03-16 15:04 · Score: 1

The target isn't that small. The fact that being virtualized breaks their security models is a big issue, and indicative of other big issues. (Using virtualization to break copy protection is one of my personal favorites.) And there are plenty of home and business users who have gotten Windows Vista machines foisted onto them who use and need to use Windows XP for software compatibility reasons, and who therefore run old games or critical applications in Windows XP under Virtual PC. I've done it myself for debugging purposes, when I've had spare licenses but not spare desktop systems.
"security mitigations"? by John+Hasler · 2010-03-16 15:39 · Score: 1

Aren't those called "exploits"?

--
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
1. Re:"security mitigations"? by julesh · 2010-03-16 21:05 · Score: 2, Informative
  
  Aren't those called "exploits"?
  No, you're misunderstanding the article. A "security mitigation" is something that stops exploits working without actually removing the hole that allows the exploit. Stuff like checking your stack is still intact before returning from a function in order to make stack overflow exploits fail: the stack can still be overflowed, but you can't (easily) exploit this any more.
Re:Priorities, priorities - oh, wait! Policy: by TRRosen · 2010-03-16 16:01 · Score: 1

He said they NEEDED to... not that they WOULD.
No kidding by Sycraft-fu · 2010-03-16 16:39 · Score: 3, Interesting

To the extent we use it at work, it is for running stubborn old software that won't run in Windows 7 and/or 64-bit OSes. To date, we've discovered two applications like that. We also set them up to run seamless in the host OS (their window appears along any other window) where you don't see or play with the guest VM. It's easier for the user, and less potential trouble. They generally don't even know (or care) that the program is running in a VM.
So yes, it requires some fairly edge situations to exploit. Not many people use XP mode in the first place (most apps run natively in 7), if they do, reasonable bet they are just using it for compatibility for one or two old apps, not on a regular basis. So you have to convince them to get your exploit, and run it in their XP system. While I suppose you could craft it so that it doesn't run in 7, they may just say "Eh, do not want," and ignore it. If not they might wonder why a new app would have that problem. Either way you've got to get them to use it in XP mode and then... Well I guess you can own their XP VM. Wonderful, that does you a whole lot of nothing in general.
Also this isn't a case of "Bypasses any and all security," it just gets by some additional protections that can help in some cases. DEP, for example, doesn't do anything to stop malware, it doesn't check the "evil bit" and stop programs from running. All it does is prevent buffer overflows in some cases. You can't execute code in the data area of a program's memory. Ok, fine, however to even matter at all you have to have a program that is vulnerable to that kind of thing. If programs are checking their inputs and so on, then DEP never even comes in to play.
Don't get me wrong, I'm happy that MS has added some additional protections to make common problems harder to exploit, however they are not the first, last, and only line of defense. They are just things that cause additional problems for various sorts of exploits. Something has to find a way to try and get in to the system in the first place before they even matter.
I can't see this as any kind of big deal. I'm certainly not at all concerned with regards to the computers that use it at work.
Not a vulnerability by poppycock · 2010-03-16 18:44 · Score: 3, Informative

This is really a vulnerability in any meaningful sense of the word. Rather, this means that certain advanced protections that Windows uses are less effective in a Virtual PC. Microsoft is actually in a leading postion when it comes to memory protection features as compared to anyone this side of OpenBSD.
What isn't someone issuing an "advisory" that the MacOS implementation of things like GS, ALSR, early-heap-termination and SafeSEH are either weak or nonexistent?
ASLR could use more entropy. Stack coookies could be present in every function, instead of just some. Every defense can be improved, and I don't think Microsoft has ever claimed that ASLR or GS is a reason NOT to produce a patch.
IMHO, Microsoft is completely correct to not issue a bulletin for this since that is an indication of a severe issue. And Core is free to make the issue known publically as well, and people can decide for themselves. But the Slashdot title is midleading at best.
Re:How many people even use VirtualPC/XP mode anyw by jim_v2000 · 2010-03-16 20:30 · Score: 2, Informative

RTFA and re-read what I said:

Article: "It causes memory pages mapped above the 2GB level to be accessed with read or read/write privileges by user-space programs running in a Guest operating system."

Me: "Then you have to get them to open an executable (or exploit some other vulnerability to get onto the system)"

--
Don't take life so seriously. No one makes it out alive.
6 months by Anonymous Coward · 2010-03-16 21:41 · Score: 0

6 months is actually rather fast turn-around time for Microsoft. The weenies usually take longer to acknowledge a bug, usually waiting for hints of an automated exploit in the wild before doing so. That allows their PR firms to call it a '0 Day' bug.
Use a VHD for booting and your screwed? by egnop · 2010-03-16 22:21 · Score: 1

Alltough I never got this working: booting from a VHD :, it occurs to me that are a lot of people doing this for different purposes...
http://www.sevenforums.com/tutorials/2953-virtual-hard-drive-vhd-file-create-start-boot.html
Would this be affected too?
1. Re:Use a VHD for booting and your screwed? by Anonymous Coward · 2010-03-17 00:06 · Score: 0
  
  No. Booting from a VHD is not really virtualization, it simple replaces the disk drivers with ones that understand the VHD structure, nothing else.
Obvious... by __aaelyr464 · 2010-03-16 23:21 · Score: 1

I love how the summary has to point out that the vulnerability is "unpatched". Well no shit, it wouldn't be a vulnerability if it was patched.
1. Re:Obvious... by Kalriath · 2010-03-17 13:25 · Score: 1
  
  Also, they have a funny definition of unpatched
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
2 "hacks" i found in Windows recently by sproketboy · 2010-03-17 00:03 · Score: 1

Not sure if anyone knows about these but...
The document and settings transfer wizard in Windows 7 did not ask me to authenticate for the other profiles I transferred. So I assume that if one were to examine that program there might be something in there.
When I installed Windows 7 on my laptop - at the point where it asked me for the Key I unplugged to take the laptop to my desk to get the key - and the Key dialog was simply bypassed! I was on the next screen. So I still haven't entered my key. Maybe this only happens with a MSDN license - not sure.
1. Re:2 "hacks" i found in Windows recently by Anonymous Coward · 2010-03-17 00:42 · Score: 0
  
  1) As you can only run the easy transfer wizard as an administrator where is the problem? You could have accessed those profiles anyway.
  2) It'll prompt you in 30 days for activation at which time you can put in your key. You can install Win7 without a key initially quite happily.
2. Re:2 "hacks" i found in Windows recently by sproketboy · 2010-03-17 04:25 · Score: 1
  
  New computer is off the domain. I browsed to the old computer and it allows me to transfer ALL profiles.
3. Re:2 "hacks" i found in Windows recently by Anonymous Coward · 2010-03-17 07:51 · Score: 0
  
  You would have to had authenticated as an administrator first, simple as that.
less effective advanced protections by Anonymous Coward · 2010-03-17 01:38 · Score: 0

This is really a vulnerability in any meaningful sense of the word. Rather, this means that certain advanced protections that Windows uses are less effective in a Virtual PC ..

'The flaw, discovered by Core exploit writer Nicolas Economou, exists in the memory management of the Virtual Machine Monitor. It causes memory pages mapped above the 2GB level to be accessed with read or read/write privileges by user-space programs running in a Guest operating system'

Microsoft weasle words, copyright©
Bill said that in 2002... by sgtrock · 2010-03-17 02:13 · Score: 1

And I told people at the time that I expected Microsoft to take _at_least_ 10 years to be able to do that consistently. 15 years wouldn't surprise me.
While I have not yet tried out Win7 or IE8 myself, everything that I've read says that they've made remarkable progress in improving their overall security stance. They just might finish up nearer the shorter end of my estimate than I thought at the time. :)
1. Re:Bill said that in 2002... by symbolset · 2010-03-17 12:19 · Score: 1
  
  Well, at the time I wondered what had took them so long. This was a new policy in 2002, and most of us had this figured out fifteen years earlier.
  
  --
  Help stamp out iliturcy.