Microsoft, security vendor clash over Virtual PC bug

No immediate plans to patch flaw that skirts Windows defenses, says Microsoft

A bug in Microsoft's software gives hackers a way to exploit virtual Windows machines which would be attack-proof if they were running on real hardware, a researcher said today.

The flaw is in some of Microsoft's virtualization software, including Windows XP Mode , the free add-on for Windows 7 that lets users of the newer OS run older applications in a virtual machine.

Core Security went public with information about the flaw yesterday, seven months after reporting the problem, because Microsoft declined to patch it. "They don't believe this requires a patch," Ivan Arce, CTO of Core Security, said in an interview today. "They said that they would address it with an update or in a service pack some time in the future. We believe this needs to be fixed sooner."

Microsoft confirmed that it doesn't consider the bug in Virtual PC, Virtual PC 2007 and Virtual Server 2005 a security hole . "The functionality that Core calls out is not an actual vulnerability per se," said Paul Cooke, a director for Microsoft who manages enterprise security technology in Windows group. "Instead, they are describing a way for an attacker to more easily exploit security vulnerabilities that must already be present on the system," he continued. "It's a subtle point, but one that folks should really understand."

Core and Microsoft don't disagree on the facts, said Arce.

The flaw makes it possible for hackers to bypass several major Windows security defenses, including DEP (data execution prevention) and ASRL (address space layout randomization), that are designed to deflect some types of attacks against Windows XP, Vista and Windows 7 .

But the two companies don't see eye-to-eye on the need for a patch. "We don't agree with Microsoft's decision not to patch," said Arce. "Applications in a virtualized environment are more easily exploitable than if they were running on real hardware. This should be fixed."

Hackers could exploit the flaw to attack virtualized copies of Windows that normally would be immune to attack, or at the least, much more difficult to attack, because of mechanisms like DEP and ASLR, Arce said. And the bug could make vulnerabilities once thought trivial, and not worth the trouble to patch, worthy of exploitation. "In light of this bug, vulnerabilities believed to not apply to the virtualized OS and that were dismissed as not exploitable, may, in fact, be exploitable," Arce added.

Arce acknowledged that by publishing its lengthy advisory -- which includes proof-of-concept attack code -- Core was pressuring Microsoft to patch. "We understand that it may be difficult to fix, but this puts pressure on them to do something about it sooner rather than later," he said.

Microsoft's Hyper-V technology, which is employed by Windows Server 2008, is not affected by the flaw, Microsoft and Core agreed.

Although the "guest" operating systems running in virtual machines are at risk, the "host" operating system -- the one powering the actual physical hardware -- is not, Microsoft assured customers. Nor can the flaw be used to jump from one virtualized guest OS on a single machine to another. Even so, Microsoft's Cooke urged users to run virtualized applications on the desktop only when there was no substitute.

"We believe that Windows XP Mode and Windows Virtual PC are great bridging strategies to help customers who have legacy applications get up and running on Windows 7," he said in an entry to the Windows Security blog . "For those customers who need Windows XP Mode, they should look to install only the required subset of applications that need Windows XP in order to function properly while planning to move those applications to Windows 7 in the future."

"Virtualization software is actual software, it's not magic," said Arce. "It's vulnerable, and sometimes bugs in it are not minimal. Should we wait five years -- and I'm exaggerating here -- for Microsoft to fix this, but not tell anyone? Sure, it may take some time for Microsoft to fix this, but there are other virtualization packages people can use that don't have this vulnerability."

Core's advisory spelled that out in plain English, telling users to either run mission-critical Windows applications on non-virtualized systems or to use alternate virtualization software.

Arce credited Nicolas Economou, who works at Core as an exploit writer, with uncovering the bug.

Microsoft has taken the same stance in the past when it's argued that what others classify as security vulnerabilities it believes are nothing of the sort. Nearly three years ago, for instance, the company claimed that Office 2007 crashes reported as flaws were actually part of the suite's design .

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags MicrosoftvirtualisationWindows 7

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?