Researchers at Core Security Technologies Inc. have discovered a zero-day vulnerability in Microsoft's Virtual PC virtualization software that could allow an attacker to bypass Windows security features and attack virtual sessions.
In an advisory issued Tuesday, Core said the zero-day flaw is located in the Microsoft Virtual PC hypervisor, the underlying code that serves as the backbone of virtualized sessions. Ivan Arce, chief technology officer at Boston-based Core, said the vulnerability is serious, because users of Windows 7 can use Virtual PC technology in XP mode to run applications that aren't compatible with Windows 7.
"I think it's an important security vulnerability that needs to be fixed," Arce said. "It's like brining bringing back the exploitation techniques for binary code execution again."
Arce said the issue is in the way the hypervisor manages the memory it allocates and provides to the virtualized operating systems. Innocuous coding errors that would cause an application or function to crash on physical hardware, are much more dangerous in a Virtual PC environment if the flaws are exploited using the weakness. It transforms a certain type of common software bug into exploitable vulnerabilities, he said
The weakness enables attackers to bypass several security features in Windows created to protect the technique on physical machines. Data Execution Prevention (DEP), Safe Exception Handlers (SafeSEH) and Address Space Layout Randomization (ASLR) mitigate the problem in Windows systems. Once bypassed and an application flaw is exploited in a virtual machine, the attacker can conduct code execution on a vulnerable system, Arce said.
The vulnerability affects Microsoft Virtual PC 2007, Virtual PC 2007 SP1, Windows Virtual PC and Microsoft Virtual Server 2005. On Windows 7 the XP Mode feature is affected by the vulnerability, Core said. Microsoft Hyper-V technology is not affected by the problem.
Arce said the issue was reported to Microsoft in August of 2009, but Microsoft engineers and Core researchers disagree on the seriousness of the issue. Arce said Microsoft believes the issue isn't as serious because an application flaw must be present in order for an attacker to carry out a successful attack.
Microsoft said it continues to recommend using Windows XP Mode and Windows Virtual PC to gain compatibility for applications that can't run on Windows 7. A Microsoft spokesperson said an attacker could only exploit a vulnerability in an application running "inside" the guest virtual machine on Windows XP rather than Windows 7 in the case of Windows XP Mode.
"An attacker would need to abuse an already present vulnerability in order to leverage this technique," Microsoft said. "The difference is that on a regular Windows system, that bug may not be exploitable, whereas in the Virtual PC guest machine, it potentially could be."
There are no effective workarounds, Arce said. Users of Virtual PC should maintain the highest patch level as possible and minimize the number of processes running in a virtualized environment, he said.
Nicolas Economou, a Core Security Exploit Writer working with CoreLabs, is credited with discovering the Virtual PC Hypervisor vulnerability.