Microsoft is dismissing weaknesses discovered in its Virtual PC software that enable an attacker to bypass Windows security features and exploit common vulnerabilities in applications.
A Microsoft spokesperson said Wednesday that it has no immediate plans to address a
"As the behavior described in Core's Advisory simply calls out a way for an attacker to more easily exploit security vulnerabilities that must already be present on the system vs. a new, standalone vulnerability, we have no plans to alter the Windows Virtual PC environment," the spokesperson wrote in an email message. "Microsoft is of course always evaluating ways to strengthen security mitigations present in its software and may choose to integrate them when they reach a sufficient level of quality and offer value to our customers."
Users of Windows 7 can use Virtual PC technology in XP mode to run applications that aren't compatible with Windows 7. The memory allocation error makes coding flaws, which normally would cause an application to terminate on physical machines, into exploitable vulnerabilities, said Ivan Arce, chief technology officer of Boston-based Core Security Technologies Inc.
Virtual PC flaw:
Arce said the vulnerability enables an attacker to bypass Data Execution Prevention (DEP), Safe Exception Handlers (SafeSEH) and Address Space Layout Randomization (ASLR) security features used in Windows systems to prevent malicious code from executing in the Windows kernel. He was unavailable to respond to Microsoft's response to the issue.
The Microsoft spokesperson said only applications running inside a guest virtual machine are at risk. Users of Virtual PC should follow common security practices, including making sure a firewall is enabled, antivirus software is installed and up to date and all software has been updated with the latest security patches.
"An attacker could not take over a whole host machine running multiple virtual machines. The safeguards within Windows 7 on the desktop OS (DEP, ASLR, and SafeSEH etc.) remain in place," the Microsoft spokesperson said.
In a blog entry issued earlier this week, Microsoft's Paul Cooke, a director in the Windows Client group, stopped short of calling the Virtual PC issue a vulnerability.
"The functionality that Core calls out is not an actual vulnerability per se," Cooke wrote. "The protection mechanisms that are present in the Windows kernel are rendered less effective inside of a virtual machine as opposed to a physical machine. There is no vulnerability introduced, just a loss of certain security protection mechanisms."