Lain (is Bams)
03-17-2010, 03:20 AM
It would be nice if Microsoft thought about security before it released stuff, instead of as a 'we can patch that' afterthought. :bong:
Microsoft virtual PC Hole (http://news.cnet.com/8301-27080_3-20000594-245.html?part=rss&tag=feed&subj=InSecurityComplex)
Bold by yours truly. :bong:
An unpatched weakness in Microsoft's Virtual PC could leave companies using the virtualization software vulnerable to attack, Core Security Technologies said on Tuesday.
An exploit writer at Core Security discovered the vulnerability in Virtual PC hypervisor and reported it to Microsoft in August 2009, Core Security said in an advisory.
Microsoft indicated that it plans to solve the problem in future updates to the vulnerable products: Microsoft Virtual PC 2007, Windows Virtual PC, and Virtual Server 2005, the advisory says. Microsoft Hyper-V technology is not affected by the problem, Core Security said.
Basically, the hole could allow an attacker to bypass Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and other security mitigation features to compromise virtualized Windows systems. Thus certain vulnerabilities that were not exploitable may become exploitable in the virtualized system, said Ivan Arce, chief technology officer at Core Security.
"This needs to be addressed in a security (Patch Tuesday) cycle and not rolled out in a service pack at some point in the future," he said in a telephone interview.
Microsoft virtual PC Hole (http://news.cnet.com/8301-27080_3-20000594-245.html?part=rss&tag=feed&subj=InSecurityComplex)
Bold by yours truly. :bong:
An unpatched weakness in Microsoft's Virtual PC could leave companies using the virtualization software vulnerable to attack, Core Security Technologies said on Tuesday.
An exploit writer at Core Security discovered the vulnerability in Virtual PC hypervisor and reported it to Microsoft in August 2009, Core Security said in an advisory.
Microsoft indicated that it plans to solve the problem in future updates to the vulnerable products: Microsoft Virtual PC 2007, Windows Virtual PC, and Virtual Server 2005, the advisory says. Microsoft Hyper-V technology is not affected by the problem, Core Security said.
Basically, the hole could allow an attacker to bypass Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and other security mitigation features to compromise virtualized Windows systems. Thus certain vulnerabilities that were not exploitable may become exploitable in the virtualized system, said Ivan Arce, chief technology officer at Core Security.
"This needs to be addressed in a security (Patch Tuesday) cycle and not rolled out in a service pack at some point in the future," he said in a telephone interview.