News Stay informed about the latest enterprise technology news and product updates.

Patch for Microsoft Virtual PC weakness unlikely

Microsoft said it has no plans to alter the Windows Virtual PC environment.

Microsoft is dismissing weaknesses discovered in its Virtual PC software that enable an attacker to bypass Windows security features and exploit common vulnerabilities in applications. 

"We have no plans to alter the Windows Virtual PC environment."
Microsoft Spokesperson

A Microsoft spokesperson said Wednesday that it has no immediate plans to address a Virtual PC hypervisor memory protection vulnerability discovered by an exploit writer at Core Security Technologies Inc.

"As the behavior described in Core's Advisory simply calls out a way for an attacker to more easily exploit security vulnerabilities that must already be present on the system vs. a new, standalone vulnerability, we have no plans to alter the Windows Virtual PC environment," the spokesperson wrote in an email message. "Microsoft is of course always evaluating ways to strengthen security mitigations present in its software and may choose to integrate them when they reach a sufficient level of quality and offer value to our customers."

Users of Windows 7 can use Virtual PC technology in XP mode to run applications that aren't compatible with Windows 7. The memory allocation error makes coding flaws, which normally would cause an application to terminate on physical machines, into exploitable vulnerabilities, said Ivan Arce, chief technology officer of Boston-based Core Security Technologies Inc. 

Virtual PC flaw:

Microsoft Virtual PC zero-day flaw weakens virtual sessions: An error in Microsoft Virtual PC can make some harmless bugs on physical PCs much more serious in virtual environments, according to an advisory by Core Security Technologies Inc.

Arce said the vulnerability enables an attacker to bypass Data Execution Prevention (DEP), Safe Exception Handlers (SafeSEH) and Address Space Layout Randomization (ASLR) security features used in Windows systems to prevent malicious code from executing in the Windows kernel. He was unavailable to respond to Microsoft's response to the issue.

The Microsoft spokesperson said only applications running inside a guest virtual machine are at risk. Users of Virtual PC should follow common security practices, including making sure a firewall is enabled, antivirus software is installed and up to date and all software has been updated with the latest security patches. 

"An attacker could not take over a whole host machine running multiple virtual machines. The safeguards within Windows 7 on the desktop OS (DEP, ASLR, and SafeSEH etc.) remain in place," the Microsoft spokesperson said.

In a blog entry issued earlier this week, Microsoft's Paul Cooke, a director in the Windows Client group, stopped short of calling the Virtual PC issue a vulnerability.

"The functionality that Core calls out is not an actual vulnerability per se," Cooke wrote. "The protection mechanisms that are present in the Windows kernel are rendered less effective inside of a virtual machine as opposed to a physical machine. There is no vulnerability introduced, just a loss of certain security protection mechanisms."

Dig Deeper on Virtualization security issues and threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.