News

Microsoft Disputes 'Vulnerability' in Virtual PC

Microsoft defended its turf this week after a software security vendor went public about an alleged security hole in Redmond's Virtual PC hypervisor.

Core Security Technologies published a security advisory on Tuesday saying that a vulnerability in the hypervisor may allow attackers to bypass several Windows security mechanisms. Those mechanisms include data execution prevention, safe structured error handling and address space layout randomization.

The problem, according to Core Security's advisory, affects Microsoft Virtual PC 2007, Virtual PC 2007 SP1, Windows Virtual PC (the successor to the 2007 version), Virtual Server 2005 and Virtual Server 2005 R2 SP1. The advisory excluded Microsoft's Hyper-V hypervisor, which is part of Windows Server 2008 and Hyper-V Server.

Microsoft's Paul Cooke disputed the "vulnerability" label being applied to Virtual PC's hypervisor. Virtual PC enables desktop virtualization, and when used with Windows XP Mode, it allows users to run the XP Service Pack 3 operating system in a virtual machine on top of Windows 7.

"The functionality that Core calls out is not an actual vulnerability per se," Cooke wrote in this blog post. "Instead, [Core Security] is describing a way for an attacker to more easily exploit security vulnerabilities that must already be present on the system."

The protection mechanisms that are present in the Windows kernel are "rendered less effective inside of a virtual machine as opposed to a physical machine," Cooke noted. He added that there is no vulnerability introduced, just a loss of certain security protection mechanisms.

Microsoft's tiffs with security vendors over semantics and nuances on what constitutes a vulnerability are nothing new. However, this time, experts appear to be lining up on Redmond's side. Microsoft is correct that the operating system is isolated from the memory space of the programs running in the Virtual PC.

"The fact that the VPC [Virtual PC] creates a sandbox for misbehaved programs is exactly what it is supposed to do," said Phil Lieberman, founder and president of Lieberman Software.

To that end, Don Retallack, a security analyst at Directions on Microsoft, said he doesn't think Core Security's assertion sounds like a serious problem.

"Virtual machines are isolated from each other, so they are more secure," he said. In that sense [Core Security's theory] doesn't show how different virtual machines interact and what would happen in those scenarios."

Retallack concurred with Cooke that anti-virus software needs to be maintained on a virtual machine, just as much as with the underlying operating system. Michael Whalen, an independent IT consultant and former senior manager of knowledge management at O'Melveny & Myers LLP, echoed the sentiment.

"In general, at the enterprise level, virtualization is where things are heading because it allows you to run multiple virtual servers on one piece of hardware" Whalen said. "Apart from making sure the underlying operating system is patched and updated, things are more fundamentally secure in a virtual environment."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.