Senior Microsoft security strategist Steve Riley last week criticised virtualisation rival VMware for an idea that could see virtualised operating system images patched while they were still running in memory.
Senior Microsoft security strategist Steve Riley last week criticised virtualisation rival VMware for an idea that could see virtualised operating system images patched while they were still running in memory.
Microsoft's Steve Riley (Credit: Microsoft)
"What about [updating] in-memory images that are currently
running operating systems ... Do you think this is a good or bad
idea?" Riley asked Microsoft's Tech.Ed conference in Sydney last week.
"The rumour is that the other big company out there that sells
virtualisation stuff is considering doing it. If they are, I think
you should give some serious thought to what they're doing to
prevent the trust-boundary-crossing from occurring."
"And I can't
imagine, at the moment, how to do that ... It gives the attacker an
[application programming interface] attack tool," he added. "It is too much of a security risk and violates one of the
principle reasons for running virtualised instances in the first
place."
Riley promised that Microsoft would never build such a product
for this reason, but instead promoted Microsoft's release of a product
that patches its virtual hard disk (VHD) file format.
VMware would not confirm whether it was working
on live OS patching technology, but the company's Asia-Pacific senior product marketing
manager Andre Kemp said it would make
sense.
"That technology exists in terms of a theory, as something that
VMware would look at strategically. I'm not saying we won't have
similar technology in the future," he told ZDNet.com.au.
"It makes sense if you have a virtual desktop infrastructure to
have the ability to patch thousands of desktops online,
simultaneously without downtime. It would seem the cornerstone of
what VMware has been able to do on the server market."
It violates one of the
principle reasons for running virtualised instances in the first
place.
Microsoft's Steve Riley
Kemp blamed Microsoft for the current requirement to reboot Windows operating
systems after applying patches to the operating system.
"Microsoft's technology is not robust enough to do updates online without requiring a
reboot," he said.
Microsoft's Riley also criticised VMware's decision to release its source code to independent software vendors.
"There is no intention at all for Hyper-V to ever incorporate third-party code. That is our code and will remain our
code only, much to the chagrin of Gartner who think we should open that up so that people can sell stuff," he said.
Kemp defended VMware's decision to do so on the grounds that it allowed security companies to build greater protection for VMware environments and had helped customers protect themselves from Microsoft's flaws.
"VMware has always been as open as possible with our virtual machine infrastructure. It has allowed vendors to create virtual machines that have their security products inside a special appliance. Just by having that plugged into the hypervisor, virtual machines are automatically protected from buffer overruns and security breaches that normally require some product to run inside the operating system," he said.
"Our open standards towards security will make Microsoft customers operate much better than traditionally or than with a Hyper-V-based solution. At the end of the day, you still have a Windows 2008 framework that needs to be patched and managed and when you introduce a patch system inherent to Windows with 25 years of documented issues and breaches, that introduces instability in a productive environment."
