In association with heise online

18 March 2010, 10:53

Dispute about Virtual PC security holes

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Microsoft Logo After more than half a year of discussions with Microsoft, the vulnerability testers at Core Security have released an advisory about a problem in Virtual PC. While Core Security regards the problem as a security hole, Microsoft takes care to point out that it does not consider the issue an "actual vulnerability per se".

It is true that the described flaw can't be exploited directly. Both parties agree that the hypervisor responsible for managing the virtual systems is too generous with the access rights to memory areas beyond 2 GB. This makes it easy for attackers to bypass security mechanisms such as Data Execution Prevention (DEP). If, for instance, a users starts a vulnerable application in the XP mode of Windows 7, which is implemented via Virtual PC, the hole can be exploited although the application would be protected via DEP on a real XP system.

Since Microsoft doesn't consider this an actual security hole, no patch will be released but does plan to fix the problem in one of the forthcoming versions. Incidentally, the Hyper-V server virtualisation solution is not affected.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit