Microsoft Disputes 'Vulnerability' in Virtual PC

Microsoft defended its turf this week after a software security vendor went public about an alleged security hole in Redmond's Virtual PC hypervisor.

Core Security Technologies published a security advisory on Tuesday saying that a vulnerability in the hypervisor may allow attackers to bypass several Windows security mechanisms. Those mechanisms include data execution prevention, safe structured error handling and address space layout randomization.

The problem, according to Core Security's advisory, affects Microsoft Virtual PC 2007, Virtual PC 2007 SP1, Windows Virtual PC (the successor to the 2007 version), Virtual Server 2005 and Virtual Server 2005 R2 SP1. The advisory excluded Microsoft's Hyper-V hypervisor, which is part of Windows Server 2008 and Hyper-V Server.

Microsoft's Paul Cooke disputed the "vulnerability" label being applied to Virtual PC's hypervisor. Virtual PC enables desktop virtualization, and when used with Windows XP Mode, it allows users to run the XP Service Pack 3 operating system in a virtual machine on top of Windows 7.

"The functionality that Core calls out is not an actual vulnerability per se," Cooke wrote in this blog post. "Instead, [Core Security] is describing a way for an attacker to more easily exploit security vulnerabilities that must already be present on the system."

The protection mechanisms that are present in the Windows kernel are "rendered less effective inside of a virtual machine as opposed to a physical machine," Cooke noted. He added that there is no vulnerability introduced, just a loss of certain security protection mechanisms.

Microsoft's tiffs with security vendors over semantics and nuances on what constitutes a vulnerability are nothing new. However, this time, experts appear to be lining up on Redmond's side. Microsoft is correct that the operating system is isolated from the memory space of the programs running in the Virtual PC.

"The fact that the VPC [Virtual PC] creates a sandbox for misbehaved programs is exactly what it is supposed to do," said Phil Lieberman, founder and president of Lieberman Software.

To that end, Don Retallack, a security analyst at Directions on Microsoft, said he doesn't think Core Security's assertion sounds like a serious problem.

"Virtual machines are isolated from each other, so they are more secure," he said. In that sense [Core Security's theory] doesn't show how different virtual machines interact and what would happen in those scenarios."

Retallack concurred with Cooke that anti-virus software needs to be maintained on a virtual machine, just as much as with the underlying operating system. Michael Whalen, an independent IT consultant and former senior manager of knowledge management at O'Melveny & Myers LLP, echoed the sentiment.

"In general, at the enterprise level, virtualization is where things are heading because it allows you to run multiple virtual servers on one piece of hardware" Whalen said. "Apart from making sure the underlying operating system is patched and updated, things are more fundamentally secure in a virtual environment."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Microsoft Outlines Steps for Bringing Classic Alert Rules into Azure Monitor

    Microsoft described how to modernize so-called "classic" alert rules to work with the new Azure Monitor service in a Thursday Azure announcement.

  • Microsoft Issues Windows Server HTTP/2 Attack Advisory

    Microsoft issued Security Advisory ADV190005 on Wednesday concerning a potential HTTP/2 settings issue for users of Internet Information Services (IIS) on Windows Server.

  • Performing a Storage Refresh on Windows Server 2016, Part 2

    Earlier, Brien walked through the steps of preparing a physical Windows Server 2016 machine for a storage refresh. Now, he shows how to complete the process, all the way to OS restoration.

  • New Office App Coming to Windows 10 Users

    Microsoft is delivering a new Office app for Windows 10 consumer and business users over the new few weeks, according to a Wednesday announcement.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.