Microsoft, security vendor clash over Virtual PC bug

No immediate plans to patch flaw that skirts Windows defenses, says Microsoft

A bug in Microsoft's software gives hackers a way to exploit virtual Windows machines which would be attack-proof if they were running on real hardware, a researcher said today.

The flaw is in some of Microsoft's virtualization software, including Windows XP Mode , the free add-on for Windows 7 that lets users of the newer OS run older applications in a virtual machine.

Core Security went public with information about the flaw yesterday, seven months after reporting the problem, because Microsoft declined to patch it. "They don't believe this requires a patch," Ivan Arce, CTO of Core Security, said in an interview today. "They said that they would address it with an update or in a service pack some time in the future. We believe this needs to be fixed sooner."

Microsoft confirmed that it doesn't consider the bug in Virtual PC, Virtual PC 2007 and Virtual Server 2005 a security hole . "The functionality that Core calls out is not an actual vulnerability per se," said Paul Cooke, a director for Microsoft who manages enterprise security technology in Windows group. "Instead, they are describing a way for an attacker to more easily exploit security vulnerabilities that must already be present on the system," he continued. "It's a subtle point, but one that folks should really understand."

Core and Microsoft don't disagree on the facts, said Arce.

The flaw makes it possible for hackers to bypass several major Windows security defenses, including DEP (data execution prevention) and ASRL (address space layout randomization), that are designed to deflect some types of attacks against Windows XP, Vista and Windows 7 .

But the two companies don't see eye-to-eye on the need for a patch. "We don't agree with Microsoft's decision not to patch," said Arce. "Applications in a virtualized environment are more easily exploitable than if they were running on real hardware. This should be fixed."

Hackers could exploit the flaw to attack virtualized copies of Windows that normally would be immune to attack, or at the least, much more difficult to attack, because of mechanisms like DEP and ASLR, Arce said. And the bug could make vulnerabilities once thought trivial, and not worth the trouble to patch, worthy of exploitation. "In light of this bug, vulnerabilities believed to not apply to the virtualized OS and that were dismissed as not exploitable, may, in fact, be exploitable," Arce added.

Arce acknowledged that by publishing its lengthy advisory -- which includes proof-of-concept attack code -- Core was pressuring Microsoft to patch. "We understand that it may be difficult to fix, but this puts pressure on them to do something about it sooner rather than later," he said.

Microsoft's Hyper-V technology, which is employed by Windows Server 2008, is not affected by the flaw, Microsoft and Core agreed.

Although the "guest" operating systems running in virtual machines are at risk, the "host" operating system -- the one powering the actual physical hardware -- is not, Microsoft assured customers. Nor can the flaw be used to jump from one virtualized guest OS on a single machine to another. Even so, Microsoft's Cooke urged users to run virtualized applications on the desktop only when there was no substitute.

"We believe that Windows XP Mode and Windows Virtual PC are great bridging strategies to help customers who have legacy applications get up and running on Windows 7," he said in an entry to the Windows Security blog . "For those customers who need Windows XP Mode, they should look to install only the required subset of applications that need Windows XP in order to function properly while planning to move those applications to Windows 7 in the future."

"Virtualization software is actual software, it's not magic," said Arce. "It's vulnerable, and sometimes bugs in it are not minimal. Should we wait five years -- and I'm exaggerating here -- for Microsoft to fix this, but not tell anyone? Sure, it may take some time for Microsoft to fix this, but there are other virtualization packages people can use that don't have this vulnerability."

Core's advisory spelled that out in plain English, telling users to either run mission-critical Windows applications on non-virtualized systems or to use alternate virtualization software.

Arce credited Nicolas Economou, who works at Core as an exploit writer, with uncovering the bug.

Microsoft has taken the same stance in the past when it's argued that what others classify as security vulnerabilities it believes are nothing of the sort. Nearly three years ago, for instance, the company claimed that Office 2007 crashes reported as flaws were actually part of the suite's design .

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags MicrosoftWindows 7virtualisation

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?