Microsoft disputes Virtual PC vulnerability claims
by Steve Ragan - Mar 17 2010, 19:00Researchers at Core Security have published an advisory warning that vulnerabilities, which would otherwise be non-exploitable on a non-virtualized OS, could be exploited when the OS is running as a guest inside Microsoft’s Virtual PC and Virtual Server. Microsoft has responded, noting that what Core describes is not an actual vulnerability.
The Core Security researchers discovered a problem with the way memory is managed by the Virtual Machine Monitor in Windows Virtual PC and Microsoft Virtual PC 2007, and Virtual Server 2005. The problem is that memory pages mapped above 2GB have read/write access to user-space programs running on the Guest OS.
“By leveraging this vulnerability it is possible to bypass security mechanisms of the operating system such as Data Execution Prevention (DEP), Safe Structured Error Handling (SafeSEH), and Address Space Layout Randomization (ASLR) designed to prevent exploitation of security bugs in applications running on Windows operation systems,” the Core Security advisory states. [Advisory]
“Thus applications with bugs that are not exploitable when running in non-virtualized operating systems become exploitable if running within a guest OS of Virtual PC. In particular, an application running on Windows 7 in XP Mode may be exploitable while the same application running directly on a Windows XP SP3 system is not.”
A Microsoft spokesperson told The Tech Herald that, “We are still investigating this claim, but it sounds from their findings that an attacker could only exploit a vulnerability in an application running "inside" the guest virtual machine, and users must have an actual vulnerability in an application running in the guest machine in order to be able to leverage the ‘bug’.”
This statement mirrors those made by Paul Cooke on the Windows Security Blog [link], which said that the functionality that Core calls out is not an actual vulnerability per se.
“Instead, they are describing a way for an attacker to more easily exploit security vulnerabilities that must already be present on the system. It's a subtle point, but one that folks should really understand. The protection mechanisms that are present in the Windows kernel are rendered less effective inside of a virtual machine as opposed to a physical machine. There is no vulnerability introduced, just a loss of certain security protection mechanisms.”
Cooke also pointed out that the security of Windows 7 directly is not affected, nor is Hyper-V.
Core’s advisory made the distinction that Hyper-V is immune, but Virtual Server and Virtual PC are more common within IT shops using virtualization, and as such Core says that each product in their current release is vulnerable.
Microsoft has said there will be no patch to address this issue in the form of a security bulletin. Instead, according to Core’s advisory, the problem will be addressed in a service pack or future software update.
Many sources, even Core’s own researchers, say that Microsoft is missing the point. There is another element of attack that the vulnerability could be used to exploit. The bugs that were previously useless to attackers, because of OS defenses in a hardened desktop environment, are exposed now as well.
We’ve reached out to Core Security for more information. If we hear back from them, we’ll update this story.
Comment on this Story