Researchers have discovered a zero-day flaw in Microsoft's Virtual PC virtualization software that could allow an attacker to bypass Windows security features and attack vulnerable applications in virtual sessions.
An advisory issued Tuesday by Core Security Technologies Inc., outlines the zero-day
Requires Free Membership to View
SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!
Michael S. Mimoso, Editorial Director
flaw located in the Microsoft Virtual PC hypervisor, the underlying code that serves as the backbone of virtualized sessions. Ivan Arce, chief technology officer at Boston-based Core, said the vulnerability is serious, because users of Windows 7 can use Virtual PC technology in XP mode to run applications that aren't compatible with Windows 7.
"I think it's an important security vulnerability that needs to be fixed," Arce said. "It's like brining bringing back the exploitation techniques for binary code execution again."
Arce said the issue is in the way the hypervisor manages the memory it allocates and provides to the virtualized operating systems. Innocuous coding errors that would normally cause an application to crash on physical hardware, are much more dangerous in a Virtual PC environment if the flaws are exploited using the weakness. It transforms a certain type of common software bug into exploitable vulnerabilities, he said
The weakness enables attackers to bypass several security features in Windows created to protect the technique on physical machines. Data Execution Prevention (DEP), Safe Exception Handlers (SafeSEH) and Address Space Layout Randomization (ASLR) mitigate the problem in Windows systems. Once the controls are bypassed and an application flaw is exploited in a virtual machine, the attacker can conduct code execution on a vulnerable system, Arce said.
The vulnerability affects Microsoft Virtual PC 2007, Virtual PC 2007 SP1, Windows Virtual PC and Microsoft Virtual Server 2005. On Windows 7 the XP Mode feature is affected by the vulnerability, Core said. Microsoft Hyper-V technology is not affected by the problem.
Arce said the issue was reported to Microsoft in August of 2009, but Microsoft engineers and Core researchers disagree on the seriousness of the issue. Arce said Microsoft believes the issue isn't as serious because an application flaw must be present in order for an attacker to carry out a successful attack.
Microsoft said it continues to recommend using Windows XP Mode and Windows Virtual PC to gain compatibility for applications that can't run on Windows 7. A Microsoft spokesperson said an attacker could only exploit a vulnerability in an application running "inside" the guest virtual machine on Windows XP rather than Windows 7 in the case of Windows XP Mode.
"An attacker would need to abuse an already present vulnerability in order to leverage this technique," Microsoft said. "The difference is that on a regular Windows system, that bug may not be exploitable, whereas in the Virtual PC guest machine, it potentially could be."
Microsoft engineers also posted a blog entry explaining the extent of the vulnerability in Virtual PC.
There are no effective workarounds, Arce said. Users of Virtual PC should maintain the highest patch level as possible and minimize the number of processes running in a virtualized environment, he said.
Nicolas Economou, a core security exploit writer working with CoreLabs, is credited with discovering the Virtual PC Hypervisor vulnerability.