A bug in Microsoft's software gives hackers a way to exploit virtual Windows machines which would be attack-proof if they were running on real hardware, a researcher said today.
The flaw is in some of Microsoft's virtualization software, including Windows XP Mode, the free add-on for Windows 7 that lets users of the newer OS run older applications in a virtual machine.
Core Security went public with information about the flaw yesterday, seven months after reporting the problem, because Microsoft declined to patch it. "They don't believe this requires a patch," Ivan Arce, CTO of Core Security, said in an interview today. "They said that they would address it with an update or in a service pack some time in the future. We believe this needs to be fixed sooner."
Microsoft confirmed that it doesn't consider the bug in Virtual PC, Virtual PC 2007 and Virtual Server 2005 a security hole. "The functionality that Core calls out is not an actual vulnerability per se," said Paul Cooke, a director for Microsoft who manages enterprise security technology in Windows group. "Instead, they are describing a way for an attacker to more easily exploit security vulnerabilities that must already be present on the system," he continued. "It's a subtle point, but one that folks should really understand."
Core and Microsoft don't disagree on the facts, said Arce.
The flaw makes it possible for hackers to bypass several major Windows security defenses, including DEP (data execution prevention) and ASRL (address space layout randomization), that are designed to deflect some types of attacks against Windows XP, Vista and Windows 7.
img: michaelsinsight.typepad.com
Recent comments
14 weeks 3 days ago
14 weeks 4 days ago
14 weeks 5 days ago
14 weeks 5 days ago
14 weeks 5 days ago
14 weeks 6 days ago
18 weeks 13 hours ago
19 weeks 2 days ago
21 weeks 4 days ago
21 weeks 6 days ago