MS Virtual PC Flaw Defeats Windows Defenses

Coop's Troops writes "An exploit writer at Core Security Technologies has discovered a serious vulnerability that exposes users of Microsoft's Virtual PC virtualization software to malicious hacker attacks. The vulnerability, which is unpatched, essentially allows an attacker to bypass several major security mitigations — DEP, SafeSEH and ASLR — to exploit the Windows operating system. As a result, some applications with bugs that are not exploitable when running in a not-virtualized operating system are rendered exploitable if running within a guest OS in Virtual PC."

Which only goes to show, it's always something

[koko]

If you want security, unplug the 'net. You ain't gonna get it any other way.

This gets me every time

[Ben4jammin]

Arce said Core reported the flaw to Microsoft last August... Microsoft officials declined to comment until they had a chance to review Core’s advisory on the issue

So how many months do you need to review once you are told about it???

Re:Linux

[customizedmischief]

Every time I read an article like this, it gives me a smug face wondering why more people don't switch.

Swtch to what, VMware or Parallels?

Re:Linux

[snowraver1]

Answer: Because their apps run on windows. That's all there is to it.

Re:This gets me every time

[Anonymous Coward]

The moment they put out a patch that breaks anything, or makes things worse the uproar will be greater. Its also amazing how it will work find in say, the spanish version, but not on the chinese versions. So many things and so many different products.

How many people even use VirtualPC/XP mode anyway?

[jim_v2000]

I mean, talk about small targets. I highly doubt that any hacker would find it worth his time to attempt to exploit this. I mean, first you have to find someone running XP mode. Then you have to get them to open an executable (or exploit some other vulnerability to get onto the system) on the guest OS instead of the host OS. Then the person still has to have more than 2 gigs of RAM and be utilizing more than 2 gigs at once. Then, after all that, you only have access to the XP VM, which may or may not have anything of worth on it.

I'm not surprised that MS shrugged it off for now.

Re:This gets me every time

[obarthelemy]

Let's play devil's advocate:

MS has quite a lot of competing agendas:
- keep backwards compatibility, v1. That means a bunch a old APIs, services, apps... Not only was security not much of a concern back when those were written, but any change in the environment risks unveiling new vulns. These pooor guys are actually supposed to maintain IE 6, IE7, and IE 8.
- keep backwards compatibility, v2. MS can't really change the security model or the way they expose it without, again, breaking apps. Since NT, Windows's security model is not bad. But MS can't really implement it fully (no apps changing system-wide ressources, no writing outside of a handful of approved dirs...) without, again, breaking apps.
- add features
- maintain an incredibly wide array of software. MS = Oracle + Linux+ php + Apache + OOo + Firefox + ...

So yes, I really hate the pain that managing MS systems is. I, and they, know they could make things better by breaking a lot of apps. They choose not to... prolly because their customers want them not to. I can understand that.

Re:Ugh, this isn't good.

[X0563511]

If someone is using VirtualPC for a honeypot, they are an idiot.

The idea of a honeypot is that it is indistinguishable from "the real thing."

That this flaw even exists means it is identifiable as a virtual machine.

Re:This gets me every time

[ircmaxell]

Don't forget, you're talking about a monolith of a company. They have more than enough resources to pour into security. Yet they don't... I refuse to cut them any slack, when open source projects which are powered by volunteers (I know not all are, but a significant number are) can produce (and do produce) results SIGNIFICANTLY faster than MS typically does... If a bunch of volunteers with VERY limited resources can do it, why can't a company with practically unlimited resources handle it?

Re:Linux

[Mr2001]

It's a matter of priorities. Do I want to a) fight Windows security and have the apps I want, b) ignore security and have the apps I want, or c) have security, but have to learn some other app, or maybe do without that app.

The whole point of having a computer is to run the programs you want to run. If you're going to have to "do without", you might as well unplug the damn thing (thereby achieving perfect security).

Re:This gets me every time

[Mr2001]

then with windows vista why didn't MSFT include an XP mode, than ran in it's own self contained section while using the higher security of a modern OS?

Windows 7 Professional/Ultimate includes exactly that. But it's implemented using Virtual PC, which is where this flaw was discovered.

Re:Ugh, this isn't good.

[Mr2001]

A lot of people considered that to be all sorts of bullshit because Intel uses their VT feature to differentiate product lines; I.E., moderately priced business desktops don't support XP mode.

Moral: if you're looking for something modestly priced, go with AMD processors. Not only are they cheaper, but nearly all the ones you can find today support virtualization.

Re:Linux

[RMS Eats Toejam]

Slashdot: Where the truth is flammable.