An unpatched weakness in Microsoft's Virtual PC could leave companies using the virtualization software vulnerable to attack, Core Security Technologies said on Tuesday.
An exploit writer at Core Security discovered the vulnerability in Virtual PC hypervisor and reported it to Microsoft in August 2009, Core Security said in an advisory.
Microsoft indicated that it plans to solve the problem in future updates to the vulnerable products: Microsoft Virtual PC 2007, Windows Virtual PC, and Virtual Server 2005, the advisory says. Microsoft Hyper-V technology is not affected by the problem, Core Security said.
Basically, the hole could allow an attacker to bypass Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and other security mitigation features to compromise virtualized Windows systems. Thus certain vulnerabilities that were not exploitable may become exploitable in the virtualized system, said Ivan Arce, chief technology officer at Core Security.
"This needs to be addressed in a security (Patch Tuesday) cycle and not rolled out in a service pack at some point in the future," he said in a telephone interview.
"...My oldest daughters now, does not see eye to eye with me on most issues. For instance she claims to be atheist. She is also a Yankees fan. I don't know which one bothers me most."
2 users laughed. The question is: Are they laughing with you, or at you?:
It's so wierd how they switch gears on the severity/importance of things.
At one point they were pushing their virtualization stuff as being potentially hot-swappable--as in you could freeze any instance and move it to a different machine. Following their recommendations you would stuff as many virtual machines onto a physical box as possible to increase your 'virtual rack density' (I love that term...) and lower tco, yadda yadda yadda.
So someone finds an admittedly obscure, but nonetheless way of circumventing the technology they tout as being so critical to tech and presto..."Oh, it's not a big deal. The system has to be vulnerable to begin with." That statement alone is great because that's the reason you supposedly bought the product in the first place--to protect you from those sorts of vulnerabilities.
There's alot of other little very obscure bugs I keep coming across in .NET that they still haven't addressed and may not be able to. Odd thread leaks, global namespace object creation hacks, 64 bit memory corruption, etc. But their world keeps on turning!
"There are two novels that can change a bookish fourteen-year old’s life: The Lord of the Rings and Atlas Shrugged. One is a childish fantasy that often engenders a lifelong obsession with its unbelievable heroes, leading to an emotionally stunted, socially crippled adulthood, unable to deal with the real world. The other, of course, involves orcs." -KFM