ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Vulnerability in Microsoft Virtual PC exploits the unexploitable

By | March 16, 2010, 11:47am PDT

Summary: Some applications with bugs that are not exploitable when running in a not-virtualized operating system are rendered exploitable if running within a guest OS in Virtual PC.

An exploit writer at Core Security Technologies has discovered a serious vulnerability that exposes users of Microsoft’s Virtual PC virtualization software to malicious hacker attacks.

The vulnerability, which is unpatched, essentially allows an attacker to bypass several major security mitigations —  Data Execution Prevention (DEP), Safe Exception Handlers (SafeSEH) and Address Space Layout Randomization (ASLR) — to exploit the Windows operating system.

As a result, some applications with bugs that are not exploitable when running in a not-virtualized operating system are rendered exploitable if running within a guest OS in Virtual PC, according to Ivan Arce, chief technology officer at Core.

The flaw, discovered by Core exploit writer Nicolas Economou, exists in the memory management of the Virtual Machine Monitor.   It causes memory pages mapped above the 2GB level to be accessed with read or read/write privileges by user-space programs running in a Guest operating system.follow Ryan Naraine on twitter

Affected software includes Microsoft Virtual PC 2007, Virtual PC 2007 SP1, Windows Virtual PC and Microsoft Virtual Server 2005. On Windows 7 the XP Mode feature is also affected by the vulnerability.

In particular, a vulnerable application running in Windows XP Mode on Windows 7 may be exploitable in a virtual environment, while the same application running directly on a Windows XP SP3 operating system is not.

Microsoft Hyper-V technology is not affected by this problem.

Arce said Core reported the flaw to Microsoft last August — more than seven months ago — but after back-and-forth discussions, the company decided it would not issue a security bulletin to provide patches.

“They [Microsoft] said that they agreed with our assessment of the problem, that it makes DEP/SafeSEH and ASLR bypassable. However, they say it doesn’t meet their criteria for a security bulletin and that they’ll fix in a service pack or a future product update,” Arce explained in a telephone interview from his office in Buenos Aires, Argentina.

“Given that that’s their decision, we feel we have to inform people of the risk so they can make informed decisions,” he added. ”We consider this a vulnerability that needs to be fixed.”

Microsoft officials declined to comment until they had a chance to review Core’s advisory on the issue.

Microsoft’s Virtual PC hypervisor is an element of the company’s Windows Virtual PC package, which allows users to run multiple Windows environments on a single computer. The hypervisor is a key component of Windows 7 XP Mode, a feature in Microsoft’s latest desktop operating system aimed at easing the migration path into the new OS for users and enterprises that need to run legacy Windows XP applications on its native OS.

With this discovery, Arce said it may transform a certain type of common software bug into exploitable vulnerabilities.  ”Certain vulnerabilities that have been dismissed as non-exploitable may now be exploitable on virtualized environments,” he said. “Let’s say someone found a vulnerability 2-3 years ago in a virtual application. They did the analysis and determined it was not exploitable because it only caused a crash in the client app.  Now, you can bypass DEP and SafeSEH and that same vulnerability or a large list of vulnerabilities may be exploitable on on virtualized systems.”

Core recommends that affected users run all mission critical Windows applications on native iron or use virtualization technologies that aren’t affected by this vulnerability.

Windows operating systems and applications that must run virtualized using Virtual PC technologies should be kept at the highest patch level possible and monitored to detect exploitation attempts.

“This particular case provides a good example of how mechanisms designed to improve an operating system’s security over many years can eventually become ineffective when some of the basic underlying aspects of their operation are changed by virtualization technology,” Arce said.

UPDATE #1: Here is a link to Core’s advisory, which includes a technical description of the issue and proof-of-concept code.

UPDATE #2: Here is Microsoft’s official response:

Core Security Technologies is describing a way for an attacker to more easily exploit security vulnerabilities already present on the system, rather than an actual vulnerability. It does this by rendering a number of protection mechanisms that are present in the Windows kernel less effective inside a virtual machine as opposed to a physical Windows machine. An attacker would need to abuse an already present vulnerability in order to leverage this technique.

In the scenario Core describes, the functionality is limited to within the virtualized environment– in other words, an attacker could only exploit a vulnerability in an application running “inside” the guest virtual machine on Windows XP rather than Windows 7 in the case of Windows XP Mode. Specially an attacker could not take over a whole host machine running multiple virtual machines. The safeguards within Windows 7 on the desktop OS (DEP, ASLR, and SafeSEH etc.) remain in place.

In addition, an actual vulnerability must already be present in an application running in the guest machine in order for an attacker to take advantage of this. The difference is that on a regular Windows system, that bug may not be exploitable, whereas in the Virtual PC guest machine, it potentially could be.

Microsoft continues to recommend using Windows XP Mode and Windows Virtual PC as a bridging strategy to Windows 7 if they are concerned about compatibility for some of their legacy applications, so that customers can realize the full security benefits Windows 7 offers.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Hacker Attack, PC, Operating System, Vulnerability, Microsoft Virtual PC, Microsoft Corp., Core Security Technologies, Microsoft Hyper-V Technology, Microsoft Windows, Desktop Virtualization, Operating Systems, Security, Software, Hardware, Virtualization, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

97
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Vulnerability in Microsoft Virtual PC exploits the unexploitable
efsane Updated - 8th Apr 2011
Great!!! thanks for sharing this information to us!
sesli sohbet sesli chat
View in thread
0 Votes
+ -
How did they exploit it?
John Zern 16th Mar 2010
did they load a program into the virtual environment, or on the physical OS loaded on the machine?
0 Votes
+ -
RE: Vulnerability in Microsoft Virtual PC exploits the unexploitable
akaSassinak 16th Mar 2010
Sir, please, now step away from the Windows Xp. Thank you, that will be all.
0 Votes
+ -
What happens if you have programs that work in Windows XP but not Vista/7?
AzuMao 16th Mar 2010
Just don't use them?

If you don't have a problem with replacing your favorite programs with alternatives, why not switch to a Linux-based OS?

Also, did you even read the article? The problem applies to all of Microsoft's Virtual PC line, not just XP Mode.
0 Votes
+ -
What's unclear is...
PollyProteus 17th Mar 2010
...is this only for Windows XP in any of those virutal environments, or does this affect Windows 7 running *inside* any of those virtual environments?

If it's only XP (not Vista or Windows 7) in those virtual environments, then the scale of panic should be reduced to someone finding out that they're out of coffee.

If it's *any* OS inside that virutal environment, then it should be re-addressed by Microsoft.

As it stands now, the insinuation is that it's only XP, but again, insinuation is not the same as complete disclosure.
0 Votes
+ -
It's actually pretty clear
tikigawd 17th Mar 2010
The vulnerability is in the virtualization software. So it affects any OS
running "inside," provided that that OS already has certain
vulnerabilities that would have otherwise been rendered useless in a
native environment. XP is mentioned because Win7 offers virtualized XP
out of the box.
0 Votes
+ -
This is why I don't see virtualization..
JCitizen 17th Mar 2010
as the panacea for security on Windows. Better to use a Linux/OSS VM on Linux/BSD to put XP in that environment.

However, some here seem to be having difficulty doing that as well.
0 Votes
+ -
That might be a good solution
tikigawd Updated - 17th Mar 2010
for someone who needs Win7 and XP, and has another machine running Linux where he/she can set up virtualized XP. Or the person could work a dual-boot set-up. But for anyone who needs backwards compatibility this vulnerability is at least an inconvenience, and at worst a huge security flaw.

It's unfortunate that MS doesn't deem this important. I'll grant that the number of people needing virtualized XP is not that large, but virtual XP in Win7 was a selling point for Win7 in order to appease people and/or corporations who were weary of migration due to incompatibility with older applications. So MS's attitude towards this vulnerability downgrades Win7's appeal IMO, at least until they fix it.
0 Votes
+ -
I wonder if today's news is the reason...
JCitizen 19th Mar 2010
Microsoft may have been dragging their heels. I read they approved an XP mode that didn't require hardware support.

I'm really confused now! silly
0 Votes
+ -
Correction..
AzuMao 17th Mar 2010
..half of the editions of Windows 7 offer it.
The other half don't.
0 Votes
+ -
Which DEP or is it both?
markdean 17th Mar 2010
There's software DEP within Windows and then there's hardware DEP that is enabled at the BIOS level. I'm wondering if is the Windows DEP that is vulnerable.
0 Votes
+ -
Not that many
DevGuy_z 17th Mar 2010
Once Vista solved its driver issues, compatibility isn't much. I have found one game that had problems with Vista mainly due to its copy protection the Game issuer was able to patch it and it now works fine under Vista.

Having many different applications and games including some old DOS ones, I don't find Vista to be a problem. The UI is a little crusty but it is very stable.

BTW, I have spent hours in Linux compiling drivers trying to get wireless hardware to work correctly.

For most non-power users, unless doing simple stuff like web browsing managing a linux desktop is a lot more trouble. Add a hard disk, its detected and you are prompted to format it. Add a disk to Linux you have to edit a file.
0 Votes
+ -
Wrong...
cosuna 17th Mar 2010
...some programs--although capable-- will be blocked by code to run on Windows 7 as they don't recognize the kernel. Two come to mind SQL Server 7.0 and Office 2000.

Most people outside the Enterprise world don't know the amount of legacy apps being carried by companies that had bet on Windows ubiquity to develop on that platform. Most of that programs will crash or work erratically on Windows 7 mainly due to the fact that W7 accounts aren't normally administrator or the fact that UAC protects folders but legacy file handling API (mostly MFC or old Java) won't raise UAC when attempting to save on those folders.

End result: You'll have phantom files that appear to be saved, but aren't.

As the previous poster noted, if you can just get rid of this apps, why not get rid of Windows. Why not? Compatibility? See.
0 Votes
+ -
Link to advisory?
s_southern 16th Mar 2010
I can't find the advisory on Core Security's web site... although we do not run VirtualPC, we do use Hyper-V and I'd like to read the advisory and make sure it doesn't affect Hyper-V.

Perhaps in the future you could link to the original source of information? It would avoid those unpleasant [citation needed] comments.
0 Votes
+ -
Hyper-V Is Not Affected
twhitman@... 16th Mar 2010
FYI, Hyper-V is *not* affected.
0 Votes
+ -
Contributr
Advisory
Ryan Naraine 16th Mar 2010
Link to advisory added to story. It wasn't available when I wrote it.

_r
0 Votes
+ -
Title is silly - Facts are confusing - Sloppy Article
croberts 16th Mar 2010
"exploits the unexploitable"

What does that even mean, and how does it even relate to the facts in the acticle?

Maybe you should rename it:

"Virtual PC flaw disables OS defences inside the VM environment"

And also clarify, if the vulnerability renders the Guest vulnerable, or the Host!
0 Votes
+ -
indeed
TheLightcosine 16th Mar 2010
I agree that the article is a bit confusing. I
believe from what they are saying, it is the guest
that is made vulnerable, but what I am unclear of
is whether it is accessible from user-space inside
the guest or suer-land inside the host. please
clarify!
0 Votes
+ -
Both.
AzuMao 16th Mar 2010
0 Votes
+ -
I detect an inference by Microsoft...
JCitizen Updated - 17th Mar 2010
that issues with XP mode and Microsoft VM are different, maybe separate? But then I never understood MS doublespeak.

Do you think they are one and the same?

(edited) for language,and spelling.
0 Votes
+ -
I think the software itself is the same, and thus problems in it as well.
AzuMao 17th Mar 2010
0 Votes
+ -
Well now I read Microsoft has now..
JCitizen 19th Mar 2010
approved allowing XP Mode to run without the hardware requirement. Talk about confusing!! silly
0 Votes
+ -
The point of the article...
mikefarinha 16th Mar 2010
The point is to be ambiguous so the reader can then assume the worst.
0 Votes
+ -
What do you mean by that?
AzuMao 16th Mar 2010
Are you trying to imply that there is a worst case? When talking about one of Microsoft's products!?

Surely you know that there is are no limits to how much they can suck.


Your post is ambiguous.
0 Votes
+ -
No offense L.D.
Intellihence 17th Mar 2010
, but when you were in school, did the other kids pick on you? Did they
place a sign on the back of your shirt that said, "Kick me, I'm an ARSE"?
0 Votes
+ -
RE: Vulnerability in Microsoft Virtual PC exploits the unexploitable
tburzio Updated - 16th Mar 2010
ZDNET: Mac sales soar 39% during Jan/Feb

The amazing thing is that the rest of all people LIKE viruses!
0 Votes
+ -
Don't wanna burst your bubble...
LiquidLearner 16th Mar 2010
but they didn't take 39% of sales, they simply increased their existing sales by 39%. Impressive, yes, however it's not quite as big of a deal as you seem to think.
0 Votes
+ -
LOL
Rick_K 17th Mar 2010
I must have been one of the few that got that article. The 39% increase
over last years 2.5 million Macintosh? computers, to 2.9 million
Macintosh? computers in January and February. Do not get me wrong I
am a Mac users, but really with 700 million computers actively in use,
the 50 million, or so Macs, aren?t that big a piece of the picture. It
represents what 14%?
0 Votes
+ -
50 million Mac users....
arminw 17th Mar 2010
are people that have figured out how not to worry about the tens of
thousands of computer viruses, Trojans and worms and all that spyware
that plague those poor hapless Windows users who have not yet grasped
that simple fact.
0 Votes
+ -
Don't forget the millions of Linux users
AzuMao 17th Mar 2010
We aren't plagued by evil beach balls of death.
We get a fun game called kernel panic, though.
0 Votes
+ -
Cool!...
JCitizen 20th Mar 2010
looks like a model for future robotic war! Skin that one up, and you have some pretty good excitement!

I like how it appears like you're a UAV commander watching the droid army and issuing action from above(my speculation).
0 Votes
+ -
A good solution for a lack of skill.
Tommy S. 18th Mar 2010
nt.
0 Votes
+ -
Exactly.
AzuMao 18th Mar 2010
Because only unskilled users want to avoid viruses.
0 Votes
+ -
Not necessarily. They might just not know about them.
AzuMao 16th Mar 2010
Or be willing to go way out of their way to avoid getting them.
Or not mind getting them.
Or rely on products whose producers have refused to let run on anything but Windows (such as certain video games).
0 Votes
+ -
Comparing Apples and not apples
mswift@... 17th Mar 2010
4th quarter PC sales were up 20%, to 90 million units
0 Votes
+ -
But the exploit then runs in the VM
goingbust 16th Mar 2010
And if the VM has limited rights, doesn't that limit the potential problems?
0 Votes
+ -
Correct.
CobraA1 16th Mar 2010
Correct. The machine the VM is running on is
not affected.

HOWEVER - if the VM is being used for important
purposes, then other software inside the VM
could be affected.

Let's say, for example, that you have important
financial documents in the same VM as you use
for surfing the web. Then a hacker could
exploit the bug and access the documents.

The important thing is to use different VMs for
different things - use a one VM for your
financial documents, and a different VM for
surfing the web. Then you're safe.

Gotta remember that VMs, as good as they are,
aren't a perfect security boundary. In
addition, the primary purpose of Microsoft's
VMs is compatibility.
0 Votes
+ -
It limits them to the VM, yes.
AzuMao 16th Mar 2010
Usually if you have a VM, though, it's because
there is something you would like to use it for.

Meaning it's bad for it to get messed up.
0 Votes
+ -
Uh... No.
shadowfyr55@... 17th Mar 2010
The way I read it is that things "in" the virtual system could write to memory that it shouldn't, in certain cases. If the "host" environment, Vista/7, has one of its own applications "in" that region, then the code would be executed **by** the host OS, not the VM, thus bypassing the protection that the VM provides. That is the whole point of, "This wouldn't normally be exploitable." What they are saying is that the bug would ***never happen*** if it was running in a native OS, because the native OS wouldn't be executing code, written into memory, which was being used by other processes. The bug in the VM ***allows*** that to happen, not only clobbering the VM's own protections, but the protections of the OS its running on top of.

If all it did was cause vulnerabilities to the VM itself, then that same bug would existing **in** XP, and be exploitable there. Its not. Nor is it in any other "hosted" OS. Its only if you host an OS, and the application does something that would have no effect on the "native" version, but is still a bug, that you torpedo a hole straight through the VM, into the underlying OS that is running the VM.

Or, maybe I just completely misread it?
0 Votes
+ -
Problems within the VM can compromise the virtualized OS.
AzuMao 17th Mar 2010
Basically, protected mode (the original definition of it, not MS's) doesn't work under Microsoft's VM.
Anything can write over the (virtualized) kernel.
0 Votes
+ -
Insignificant vector
Tommy S. 18th Mar 2010
Do you think people will start to write exploit for virtual XP machines only...

How many of these prowl the web? Maybe just a few more then the whole MAC installed base, which is insignificant. VMs are for testing stuff and running old crapware.

You are paranoid if you browse the web from a VM.
0 Votes
+ -
Really?
AzuMao 18th Mar 2010
So you know of an easy to use browser that doesn't have and never will have any vulnerabilities whatsoever?
0 Votes
+ -
If you have anything to lose...
JCitizen 20th Mar 2010
and you use that attitude; you're a fool.

If you never enter financial or personal information into the keyboard of that PC, then your right, it is just a waste of time.

However my clients get tired of reinstalling all the time, and have finally started listening to me.

Pay me now or pay me later; if later - you may be paying the cracker too!
0 Votes
+ -
Oh dear...
Great Kahuna 16th Mar 2010
this is not good.

Fortunately I'm running Linux.
0 Votes
+ -
But if you run Windows under a VM in Linux..
AzuMao 16th Mar 2010
..and then try to use Microsoft's VM within that, you still have a problem.
0 Votes
+ -
So using a Linux VM..
JCitizen 17th Mar 2010
to run a Microsoft application?

I've never used VMs, so I have no idea if Linux can run MS applications or not.

I'm used to Microsoft Office coded for OSX, and that is a different story.
0 Votes
+ -
Under a VM you can run a whole OS, and anything that OS can run.
AzuMao 17th Mar 2010
0 Votes
+ -
Linux has a limited "clone" of Windows.
shadowfyr55@... 17th Mar 2010
Its called "WINE". But, its not a true VM, since it wouldn't be running the OS itself, just emulating it. However, there are any number of products that exist that *do* run under Linux, which provide true VM environments. However, in this case it would look like this:

Linux
|
VM Software
|
Windows 7 (vulnerable to the exploit)
|
XP Mode (bug allowing the problem is here)
|
XP application (containing the exploit)

Assuming, again, I read this right. This is less serious than with 7, by itself, or using the Windows VM to run another OS, whose programs in turn triggered the exploit. Basically, Win7 running in a Linux VM would simply infect/crash the VM for Win7, not the whole OS, which could still be a **huge** problem, if you are running all your business apps in the VM, because you don't yet have them migrated to Linux.

But, basically, any OS that can run large applications can run a VM. Heck, technically, things like DOSBox, or even things to run old games like MAME, or the ones that run games from the SNES, are "VMs", just not ones capable of running modern OSes on them. That is the whole point of a VM, to convince the OS you install in it that its running on a machine that has X% of the real machines memory, and a slightly slower processor, along with all the same "hardware" it would normally see, when installing itself.

But, yeah. Linux, by itself, with WINE installed, can run probably 70%? Though, games, especially DirectX ones, still cause it some hickups. But, with a high priced VM installed on it, you simply install Windows 7 "into" the VM, and everything works.
0 Votes
+ -
Oops..
shadowfyr55@... 17th Mar 2010
My mistake. I didn't bother reading MS' gibberish at the end, so failed to note that the issue was only to the VM OS, not the host.. So, the vulnerability would "not" be in 7 in the above diagram. Still, its a damn stupid bug anyway.
0 Votes
+ -
ReactOS is a clone/emulation of Windows.
AzuMao 17th Mar 2010
WINE is an abstraction layer. It redirects Win32 API calls to Linux syscalls.
0 Votes
+ -
Thanks once again...
JCitizen 19th Mar 2010
I really appreciate it. I was under the impression that the VM host would be compromised as well as the VM, if running under any Windows OS as the host.

I wasn't sure about the differences between Wine and a Linux VM. We used emulators on Macs in the tech industry(1991) to test control design. The Mac couldn't actually run the equipment but was an excellent design testing environment. Back then the Window GUI and graphics capability just couldn't match that.

As of 2000, we started getting chips in the new Cincinnati Milacron machines that were marked Mackintosh(APPLE), they were a different animal to tech, but we did it. Probably made by motorola for Apple at the time.
0 Votes
+ -
RE: Vulnerability in Microsoft Virtual PC exploits the unexploitable
efsane Updated - 8th Apr 2011
Great!!! thanks for sharing this information to us!
sesli sohbet sesli chat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix