Microsoft Disputes 'Vulnerability' in Virtual PC
Microsoft defended its turf this week after a software security vendor went public about an alleged security hole in Redmond's Virtual PC hypervisor.
Core Security Technologies published a security advisory on Tuesday saying that a vulnerability in the hypervisor may allow attackers to bypass several Windows security mechanisms. Those mechanisms include data execution prevention, safe structured error handling and address space layout randomization.
The problem, according to Core Security's advisory, affects Microsoft Virtual PC 2007, Virtual PC 2007 SP1, Windows Virtual PC (the successor to the 2007 version), Virtual Server 2005 and Virtual Server 2005 R2 SP1. The advisory excluded Microsoft's Hyper-V hypervisor, which is part of Windows Server 2008 and Hyper-V Server.
Microsoft's Paul Cooke disputed the "vulnerability" label being applied to Virtual PC's hypervisor. Virtual PC enables desktop virtualization, and when used with Windows XP Mode, it allows users to run the XP Service Pack 3 operating system in a virtual machine on top of Windows 7.
"The functionality that Core calls out is not an actual vulnerability per se," Cooke wrote in this blog post. "Instead, [Core Security] is describing a way for an attacker to more easily exploit security vulnerabilities that must already be present on the system."
The protection mechanisms that are present in the Windows kernel are "rendered less effective inside of a virtual machine as opposed to a physical machine," Cooke noted. He added that there is no vulnerability introduced, just a loss of certain security protection mechanisms.
Microsoft's tiffs with security vendors over semantics and nuances on what constitutes a vulnerability are nothing new. However, this time, experts appear to be lining up on Redmond's side. Microsoft is correct that the operating system is isolated from the memory space of the programs running in the Virtual PC.
"The fact that the VPC [Virtual PC] creates a sandbox for misbehaved programs is exactly what it is supposed to do," said Phil Lieberman, founder and president of Lieberman Software.
To that end, Don Retallack, a security analyst at Directions on Microsoft, said he doesn't think Core Security's assertion sounds like a serious problem.
"Virtual machines are isolated from each other, so they are more secure," he said. In that sense [Core Security's theory] doesn't show how different virtual machines interact and what would happen in those scenarios."
Retallack concurred with Cooke that anti-virus software needs to be maintained on a virtual machine, just as much as with the underlying operating system. Michael Whalen, an independent IT consultant and former senior manager of knowledge management at O'Melveny & Myers LLP, echoed the sentiment.
"In general, at the enterprise level, virtualization is where things are heading because it allows you to run multiple virtual servers on one piece of hardware" Whalen said. "Apart from making sure the underlying operating system is patched and updated, things are more fundamentally secure in a virtual environment."
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.