Microsoft, security vendor clash over Virtual PC bug

No immediate plans to patch flaw that skirts Windows defenses, says Microsoft

A bug in Microsoft's software gives hackers a way to exploit virtual Windows machines which would be attack-proof if they were running on real hardware, a researcher said today.

The flaw is in some of Microsoft's virtualization software, including Windows XP Mode , the free add-on for Windows 7 that lets users of the newer OS run older applications in a virtual machine.

Core Security went public with information about the flaw yesterday, seven months after reporting the problem, because Microsoft declined to patch it. "They don't believe this requires a patch," Ivan Arce, CTO of Core Security, said in an interview today. "They said that they would address it with an update or in a service pack some time in the future. We believe this needs to be fixed sooner."

Microsoft confirmed that it doesn't consider the bug in Virtual PC, Virtual PC 2007 and Virtual Server 2005 a security hole . "The functionality that Core calls out is not an actual vulnerability per se," said Paul Cooke, a director for Microsoft who manages enterprise security technology in Windows group. "Instead, they are describing a way for an attacker to more easily exploit security vulnerabilities that must already be present on the system," he continued. "It's a subtle point, but one that folks should really understand."

Core and Microsoft don't disagree on the facts, said Arce.

The flaw makes it possible for hackers to bypass several major Windows security defenses, including DEP (data execution prevention) and ASRL (address space layout randomization), that are designed to deflect some types of attacks against Windows XP, Vista and Windows 7 .

But the two companies don't see eye-to-eye on the need for a patch. "We don't agree with Microsoft's decision not to patch," said Arce. "Applications in a virtualized environment are more easily exploitable than if they were running on real hardware. This should be fixed."

Hackers could exploit the flaw to attack virtualized copies of Windows that normally would be immune to attack, or at the least, much more difficult to attack, because of mechanisms like DEP and ASLR, Arce said. And the bug could make vulnerabilities once thought trivial, and not worth the trouble to patch, worthy of exploitation. "In light of this bug, vulnerabilities believed to not apply to the virtualized OS and that were dismissed as not exploitable, may, in fact, be exploitable," Arce added.

Arce acknowledged that by publishing its lengthy advisory -- which includes proof-of-concept attack code -- Core was pressuring Microsoft to patch. "We understand that it may be difficult to fix, but this puts pressure on them to do something about it sooner rather than later," he said.

Microsoft's Hyper-V technology, which is employed by Windows Server 2008, is not affected by the flaw, Microsoft and Core agreed.

Although the "guest" operating systems running in virtual machines are at risk, the "host" operating system -- the one powering the actual physical hardware -- is not, Microsoft assured customers. Nor can the flaw be used to jump from one virtualized guest OS on a single machine to another. Even so, Microsoft's Cooke urged users to run virtualized applications on the desktop only when there was no substitute.

"We believe that Windows XP Mode and Windows Virtual PC are great bridging strategies to help customers who have legacy applications get up and running on Windows 7," he said in an entry to the Windows Security blog . "For those customers who need Windows XP Mode, they should look to install only the required subset of applications that need Windows XP in order to function properly while planning to move those applications to Windows 7 in the future."

"Virtualization software is actual software, it's not magic," said Arce. "It's vulnerable, and sometimes bugs in it are not minimal. Should we wait five years -- and I'm exaggerating here -- for Microsoft to fix this, but not tell anyone? Sure, it may take some time for Microsoft to fix this, but there are other virtualization packages people can use that don't have this vulnerability."

Core's advisory spelled that out in plain English, telling users to either run mission-critical Windows applications on non-virtualized systems or to use alternate virtualization software.

Arce credited Nicolas Economou, who works at Core as an exploit writer, with uncovering the bug.

Microsoft has taken the same stance in the past when it's argued that what others classify as security vulnerabilities it believes are nothing of the sort. Nearly three years ago, for instance, the company claimed that Office 2007 crashes reported as flaws were actually part of the suite's design .

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags MicrosoftvirtualisationWindows 7

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments


James Cook University - Master of Data Science Online Course

Learn more >


Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >



Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?