Dispute about Virtual PC security holes
After more than half a year of discussions with Microsoft, the vulnerability testers at Core Security have released an advisory about a problem in Virtual PC. While Core Security regards the problem as a security hole, Microsoft takes care to point out that it does not consider the issue an "actual vulnerability per se".
It is true that the described flaw can't be exploited directly. Both parties agree that the hypervisor responsible for managing the virtual systems is too generous with the access rights to memory areas beyond 2 GB. This makes it easy for attackers to bypass security mechanisms such as Data Execution Prevention (DEP). If, for instance, a users starts a vulnerable application in the XP mode of Windows 7, which is implemented via Virtual PC, the hole can be exploited although the application would be protected via DEP on a real XP system.
Since Microsoft doesn't consider this an actual security hole, no patch will be released but does plan to fix the problem in one of the forthcoming versions. Incidentally, the Hyper-V server virtualisation solution is not affected.
- Virtual PC Hypervisor Memory Protection Vulnerability, security advisory from Core Security.
- Vulnerability in Virtual PC?, a Windows Blog post.