News

Microsoft Disputes 'Vulnerability' in Virtual PC

Microsoft defended its turf this week after a software security vendor went public about an alleged security hole in Redmond's Virtual PC hypervisor.

Core Security Technologies published a security advisory on Tuesday saying that a vulnerability in the hypervisor may allow attackers to bypass several Windows security mechanisms. Those mechanisms include data execution prevention, safe structured error handling and address space layout randomization.

The problem, according to Core Security's advisory, affects Microsoft Virtual PC 2007, Virtual PC 2007 SP1, Windows Virtual PC (the successor to the 2007 version), Virtual Server 2005 and Virtual Server 2005 R2 SP1. The advisory excluded Microsoft's Hyper-V hypervisor, which is part of Windows Server 2008 and Hyper-V Server.

Microsoft's Paul Cooke disputed the "vulnerability" label being applied to Virtual PC's hypervisor. Virtual PC enables desktop virtualization, and when used with Windows XP Mode, it allows users to run the XP Service Pack 3 operating system in a virtual machine on top of Windows 7.

"The functionality that Core calls out is not an actual vulnerability per se," Cooke wrote in this blog post. "Instead, [Core Security] is describing a way for an attacker to more easily exploit security vulnerabilities that must already be present on the system."

The protection mechanisms that are present in the Windows kernel are "rendered less effective inside of a virtual machine as opposed to a physical machine," Cooke noted. He added that there is no vulnerability introduced, just a loss of certain security protection mechanisms.

Microsoft's tiffs with security vendors over semantics and nuances on what constitutes a vulnerability are nothing new. However, this time, experts appear to be lining up on Redmond's side. Microsoft is correct that the operating system is isolated from the memory space of the programs running in the Virtual PC.

"The fact that the VPC [Virtual PC] creates a sandbox for misbehaved programs is exactly what it is supposed to do," said Phil Lieberman, founder and president of Lieberman Software.

To that end, Don Retallack, a security analyst at Directions on Microsoft, said he doesn't think Core Security's assertion sounds like a serious problem.

"Virtual machines are isolated from each other, so they are more secure," he said. In that sense [Core Security's theory] doesn't show how different virtual machines interact and what would happen in those scenarios."

Retallack concurred with Cooke that anti-virus software needs to be maintained on a virtual machine, just as much as with the underlying operating system. Michael Whalen, an independent IT consultant and former senior manager of knowledge management at O'Melveny & Myers LLP, echoed the sentiment.

"In general, at the enterprise level, virtualization is where things are heading because it allows you to run multiple virtual servers on one piece of hardware" Whalen said. "Apart from making sure the underlying operating system is patched and updated, things are more fundamentally secure in a virtual environment."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

comments powered by Disqus

Reader Comments:

Sat, Mar 20, 2010 Steve Hand

All potential vulnerabilities are iportant to evaluate. I do not see this as a significant vulnerability. More important to me is when is Microsoft going to provide the ability to host 64bit OS's in VirtualPC. This is a major shortcoming in the overall Microsoft virtualization story.

Thu, Mar 18, 2010 Philip Lieberman / Lieberman Software Corp Los Angeles, CA

In fact, we use virtual machines as sacrificial environments specifically for the purposes of getting infected to understand the behavior of malicious software. The fact that VPC images can get infected/exploited is exactly what we are seeking. The beauty is that we can kill the VPC, reset the environment and try again without damaging the underlying machine. VPCs are great, but they generally running less secure operating systems such as XP. Nothing about the VPC makes the operating system it is hosting any more secure. Generally speaking we have had few problems with the VPCs except when they need to support strange hardware via their device drivers.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.