MS Virtual PC Flaw Defeats Windows Defenses

Coop's Troops writes "An exploit writer at Core Security Technologies has discovered a serious vulnerability that exposes users of Microsoft's Virtual PC virtualization software to malicious hacker attacks. The vulnerability, which is unpatched, essentially allows an attacker to bypass several major security mitigations — DEP, SafeSEH and ASLR — to exploit the Windows operating system. As a result, some applications with bugs that are not exploitable when running in a not-virtualized operating system are rendered exploitable if running within a guest OS in Virtual PC."

Ugh, this isn't good.

[mlts]

The good news is that this doesn't affect the big iron (Hyper-V). However, for people who have Windows 7 and XP mode, using it for Web browsing, this will cause them a world of hurt.

Since this essentially doesn't affect servers, I'm going to recommend to people that they move to VMWare Workstation if they want commercial support, or VirtualBox if they desire an open source solution. Either one of these has as many features as VirtualPC (although VirtualPC has one nice advantage -- it drops changes to the undo disk fast compared to the 2-3 minutes VMWare does.)

A hole in a hypervisor is a really bad thing. A lot of people use VMs for honeypots, and this would cause unintended infections, or other damage, perhaps catastrophic.

Re:Ugh, this isn't good.

[Anonymous Coward]

The hole is not in the hypervisor. The GUEST OS is the one that is compromised, not the OS running the VM.

Still can't exploit the host OS

[cbhacking]

This is definitley a bug, but all it does is allow bypassing of security features in the virtualized system. In other words, you can exploit the VM client, but you still can't get at the host.

It's worth of a patch, but not of a panic. If you're virtualizing for security, you don't really care what happens to the virtual system (that's the point). If you're virtualizing so you can run an old OS, it's going to be full of holes anyhow. If you're virtualizing for any other reason, why the hell are you using consumer-grade virtualization software?

Re:Linux

[Hamsterdan]

Virtualbox.

Re:Ugh, this isn't good.

[cbhacking]

Honeypots are designed to get hit. This bug doesn't make the host system vulnerable, it just means that the client OS is easier to exploit.

If it worked on Hyper-V, this would be a big problem; that's a server-level technology where even the clients are expected to remain secure. On the other hand, Virtual PC isn't even a hypervisor; it requires a full OS onderneath it, running itself as just another Windows app. Up until 2007 didn't even require hardware support for virtualization.

Credits

[aurelianito]

From TFA:

An exploit writer at Core Security Technologies has discovered a serious vulnerability that exposes users of Microsoft's Virtual PC virtualization software to malicious hacker attacks.

I would like to add that the exploit writer at Core Security Technologies that discovered this vulnerability is Nicolás Economou [coresecurity.com] and congratulate him on the great work he has made.

Disclaimer: I also work at Core

Re:This gets me every time

[msuarezalvarez]

I've upgraded "linux" (OS, libs, and what not) literally thousand of times in the ca. 15 years I've been using it, and I doubt there were 5 times where I has a real problem with the many apps I use stopping working...

Priorities, priorities - oh, wait! Policy:

[symbolset]

When we face a choice between adding features and resolving security issues, we need to choose security. [cnet.com]

- Bill Gates, January 16, 2002 .

Re:This gets me every time

[ircmaxell]

Pouring resources into one particular project doesn't work. But pouring resources into a pile of otherwise unrelated projects does. IF it's a problem of overload (where they have 1000 outstanding issues to investigate/fix, and less than 1000 people to work on it, you could gain something by adding resources... The "Mythical Man Month" is about adding resources to one project (where everyone's work depends on everyone else's)...

Not a vulnerability

[poppycock]

This is really a vulnerability in any meaningful sense of the word. Rather, this means that certain advanced protections that Windows uses are less effective in a Virtual PC. Microsoft is actually in a leading postion when it comes to memory protection features as compared to anyone this side of OpenBSD.

What isn't someone issuing an "advisory" that the MacOS implementation of things like GS, ALSR, early-heap-termination and SafeSEH are either weak or nonexistent?

ASLR could use more entropy. Stack coookies could be present in every function, instead of just some. Every defense can be improved, and I don't think Microsoft has ever claimed that ASLR or GS is a reason NOT to produce a patch.

IMHO, Microsoft is completely correct to not issue a bulletin for this since that is an indication of a severe issue. And Core is free to make the issue known publically as well, and people can decide for themselves. But the Slashdot title is midleading at best.

Re:How many people even use VirtualPC/XP mode anyw

[jim_v2000]

RTFA and re-read what I said:

Article: "It causes memory pages mapped above the 2GB level to be accessed with read or read/write privileges by user-space programs running in a Guest operating system."

Me: "Then you have to get them to open an executable (or exploit some other vulnerability to get onto the system)"

Re:"security mitigations"?

[julesh]

Aren't those called "exploits"?

No, you're misunderstanding the article. A "security mitigation" is something that stops exploits working without actually removing the hole that allows the exploit. Stuff like checking your stack is still intact before returning from a function in order to make stack overflow exploits fail: the stack can still be overflowed, but you can't (easily) exploit this any more.