Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Virtual PC Flaw Defeats Windows Defenses

Posted by kdawson on from the around-the-maginot-line dept.

Coop's Troops writes "An exploit writer at Core Security Technologies has discovered a serious vulnerability that exposes users of Microsoft's Virtual PC virtualization software to malicious hacker attacks. The vulnerability, which is unpatched, essentially allows an attacker to bypass several major security mitigations — DEP, SafeSEH and ASLR — to exploit the Windows operating system. As a result, some applications with bugs that are not exploitable when running in a not-virtualized operating system are rendered exploitable if running within a guest OS in Virtual PC."

15 of 141 comments (clear)

  1. This gets me every time by Ben4jammin · · Score: 4, Insightful

    Arce said Core reported the flaw to Microsoft last August... Microsoft officials declined to comment until they had a chance to review Core’s advisory on the issue

    So how many months do you need to review once you are told about it???

    1. Re:This gets me every time by ircmaxell · · Score: 4, Interesting

      So how many months do you need to review once you are told about it?

      Simple. How many months will you give them before you go public?

      At the possibility of being flamebait here, how the heck does MS keep publishing products full of security holes? I know Linux and Mac have had their share of holes, but it seems as if every week there's a new announcement about some MS product that has either a 0 day flaw, or another MAJOR flaw? And even worse is their failure to deal with them in a reasonable amount of time! I mean 6 months to COMMENT on an advisory? That's ridiculous... Sure, they may have a lot of notices to work through, but if that's the case, hire more developers to deal with the security issues! They are out spreading the message that you can depend on MS products, and then leave gaping holes open for months... Not to long ago (within the month), they delayed a patch --well, wanted to anyway before they were called out on it-- for a 0-day in IE by 3 weeks, so that they could put it in a "planned update to IE"... If this was a popular open source project trying to pull this stuff, how quickly would a fork surface? Then again, it's all about placating the sheeple, right?

      --
      If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
    2. Re:This gets me every time by obarthelemy · · Score: 5, Insightful

      Let's play devil's advocate:

      MS has quite a lot of competing agendas:
      - keep backwards compatibility, v1. That means a bunch a old APIs, services, apps... Not only was security not much of a concern back when those were written, but any change in the environment risks unveiling new vulns. These pooor guys are actually supposed to maintain IE 6, IE7, and IE 8.
      - keep backwards compatibility, v2. MS can't really change the security model or the way they expose it without, again, breaking apps. Since NT, Windows's security model is not bad. But MS can't really implement it fully (no apps changing system-wide ressources, no writing outside of a handful of approved dirs...) without, again, breaking apps.
      - add features
      - maintain an incredibly wide array of software. MS = Oracle + Linux+ php + Apache + OOo + Firefox + ...

      So yes, I really hate the pain that managing MS systems is. I, and they, know they could make things better by breaking a lot of apps. They choose not to... prolly because their customers want them not to. I can understand that.

      --
      The Cloud - because you don't care if your apps and data are up in the air.
  2. Re:Linux by customizedmischief · · Score: 5, Insightful

    Every time I read an article like this, it gives me a smug face wondering why more people don't switch.

    Swtch to what, VMware or Parallels?

    --
    Oops.
  3. Ugh, this isn't good. by mlts · · Score: 4, Informative

    The good news is that this doesn't affect the big iron (Hyper-V). However, for people who have Windows 7 and XP mode, using it for Web browsing, this will cause them a world of hurt.

    Since this essentially doesn't affect servers, I'm going to recommend to people that they move to VMWare Workstation if they want commercial support, or VirtualBox if they desire an open source solution. Either one of these has as many features as VirtualPC (although VirtualPC has one nice advantage -- it drops changes to the undo disk fast compared to the 2-3 minutes VMWare does.)

    A hole in a hypervisor is a really bad thing. A lot of people use VMs for honeypots, and this would cause unintended infections, or other damage, perhaps catastrophic.

    1. Re:Ugh, this isn't good. by Anonymous Coward · · Score: 4, Informative

      The hole is not in the hypervisor. The GUEST OS is the one that is compromised, not the OS running the VM.

    2. Re:Ugh, this isn't good. by cbhacking · · Score: 5, Informative

      Honeypots are designed to get hit. This bug doesn't make the host system vulnerable, it just means that the client OS is easier to exploit.

      If it worked on Hyper-V, this would be a big problem; that's a server-level technology where even the clients are expected to remain secure. On the other hand, Virtual PC isn't even a hypervisor; it requires a full OS onderneath it, running itself as just another Windows app. Up until 2007 didn't even require hardware support for virtualization.

      --
      There's no place I could be, since I've found Serenity...
    3. Re:Ugh, this isn't good. by X0563511 · · Score: 4, Insightful

      If someone is using VirtualPC for a honeypot, they are an idiot.

      The idea of a honeypot is that it is indistinguishable from "the real thing."

      That this flaw even exists means it is identifiable as a virtual machine.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  4. Re:Linux by snowraver1 · · Score: 5, Insightful

    Answer: Because their apps run on windows. That's all there is to it.

    --
    Copyright 2010. All rights reserved. This comment may not be copied in any way including, but not limited to caching.
  5. Re:Which only goes to show, it's always something by WrongSizeGlass · · Score: 4, Funny

    So Virtual PC is virtually as secure (or insecure) as a real PC? If you wanted the security of a real PC then they should have, um, well ... never mind.

  6. Still can't exploit the host OS by cbhacking · · Score: 5, Informative

    This is definitley a bug, but all it does is allow bypassing of security features in the virtualized system. In other words, you can exploit the VM client, but you still can't get at the host.

    It's worth of a patch, but not of a panic. If you're virtualizing for security, you don't really care what happens to the virtual system (that's the point). If you're virtualizing so you can run an old OS, it's going to be full of holes anyhow. If you're virtualizing for any other reason, why the hell are you using consumer-grade virtualization software?

    --
    There's no place I could be, since I've found Serenity...
  7. Re:Linux by Hamsterdan · · Score: 5, Informative

    Virtualbox.

    --
    I've got better things to do tonight than die.
  8. Credits by aurelianito · · Score: 5, Informative
    From TFA:

    An exploit writer at Core Security Technologies has discovered a serious vulnerability that exposes users of Microsoft's Virtual PC virtualization software to malicious hacker attacks.

    I would like to add that the exploit writer at Core Security Technologies that discovered this vulnerability is Nicolás Economou and congratulate him on the great work he has made.

    Disclaimer: I also work at Core

  9. How many people even use VirtualPC/XP mode anyway? by jim_v2000 · · Score: 5, Insightful

    I mean, talk about small targets. I highly doubt that any hacker would find it worth his time to attempt to exploit this. I mean, first you have to find someone running XP mode. Then you have to get them to open an executable (or exploit some other vulnerability to get onto the system) on the guest OS instead of the host OS. Then the person still has to have more than 2 gigs of RAM and be utilizing more than 2 gigs at once. Then, after all that, you only have access to the XP VM, which may or may not have anything of worth on it.

    I'm not surprised that MS shrugged it off for now.

    --
    Don't take life so seriously. No one makes it out alive.
  10. Priorities, priorities - oh, wait! Policy: by symbolset · · Score: 4, Informative

    When we face a choice between adding features and resolving security issues, we need to choose security.

    - Bill Gates, January 16, 2002 .

    --
    Help stamp out iliturcy.