Virtual PC hole could lead to attacks, security firm says

An unpatched weakness in Microsoft's Virtual PC could leave companies using the virtualization software vulnerable to attack, Core Security Technologies said on Tuesday.

An exploit writer at Core Security discovered the vulnerability in Virtual PC hypervisor and reported it to Microsoft in August 2009, Core Security said in an advisory.

Microsoft indicated that it plans to solve the problem in future updates to the vulnerable products: Microsoft Virtual PC 2007, Windows Virtual PC, and Virtual Server 2005, the advisory says. Microsoft Hyper-V technology is not affected by the problem, Core Security said.

Basically, the hole could allow an attacker to bypass Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and other security mitigation features to compromise virtualized Windows systems. Thus certain vulnerabilities that were not exploitable may become exploitable in the virtualized system, said Ivan Arce, chief technology officer at Core Security.

"This needs to be addressed in a security (Patch Tuesday) cycle and not rolled out in a service pack at some point in the future," he said in a telephone interview.

Virtual PC hypervisor is part of Windows Virtual PC package, which allows customers to run multiple Windows environments on a single computer. The hypervisor is a key component of Windows 7 XP Mode, a feature designed to ease the migration of customers to the new operating system that need to run Windows XP on the native operating system.

Core Security recommends that affected users run all mission critical Windows applications on the native hardware or use virtualization technologies that aren't affected by the bug.

Microsoft downplayed the issue, saying it wasn't really its own vulnerability but merely a "way for an attacker to more easily exploit security vulnerabilities already present on the system."

"It does this by rendering a number of protection mechanisms that are present in the Windows kernel less effective inside a virtual machine as opposed to a physical Windows machine. An attacker would need to abuse an already present vulnerability in order to leverage this technique. In the scenario Core describes, the functionality is limited to within the virtualized environment--in other words, an attacker could only exploit a vulnerability in an application running 'inside' the guest virtual machine on Windows XP rather than Windows 7 in the case of Windows XP Mode," Microsoft said in a statement.

"An attacker could not take over a whole host machine running multiple virtual machines. The safeguards within Windows 7 on the desktop OS (DEP, ASLR, and SafeSEH etc.) remain in place," the statement said. "In addition, an actual vulnerability must already be present in an application running in the guest machine in order for an attacker to take advantage of this. The difference is that on a regular Windows system, that bug may not be exploitable, whereas in the Virtual PC guest machine, it potentially could be."

Microsoft goes into more details in a post on the Windows Blog.

Core Security's Arce said the Microsoft argument misses the point that the hypervisor XP Mode makes applications running the virtualized operating system less secure than the same applications running on a real operating system.

"I can guarantee you any desktop system has a vulnerability, especially if there are vulnerabilities that weren't fixed because they weren't (previously) exploitable," he said. "If your desktop is virtualized, it's still your desktop; it's not less vulnerable as a target."