Microsoft attacks potential VMware feature

Senior Microsoft security strategist Steve Riley last week criticised virtualisation rival VMware for an idea that could see virtualised operating system images patched while they were still running in memory.

Senior Microsoft security strategist Steve Riley last week criticised virtualisation rival VMware for an idea that could see virtualised operating system images patched while they were still running in memory.

Microsoft's Steve Riley
(Credit: Microsoft)

"What about [updating] in-memory images that are currently running operating systems ... Do you think this is a good or bad idea?" Riley asked Microsoft's Tech.Ed conference in Sydney last week.

"The rumour is that the other big company out there that sells virtualisation stuff is considering doing it. If they are, I think you should give some serious thought to what they're doing to prevent the trust-boundary-crossing from occurring."

"And I can't imagine, at the moment, how to do that ... It gives the attacker an [application programming interface] attack tool," he added. "It is too much of a security risk and violates one of the principle reasons for running virtualised instances in the first place."

Riley promised that Microsoft would never build such a product for this reason, but instead promoted Microsoft's release of a product that patches its virtual hard disk (VHD) file format.

VMware would not confirm whether it was working on live OS patching technology, but the company's Asia-Pacific senior product marketing manager Andre Kemp said it would make sense.

"That technology exists in terms of a theory, as something that VMware would look at strategically. I'm not saying we won't have similar technology in the future," he told ZDNet.com.au.

"It makes sense if you have a virtual desktop infrastructure to have the ability to patch thousands of desktops online, simultaneously without downtime. It would seem the cornerstone of what VMware has been able to do on the server market."

It violates one of the principle reasons for running virtualised instances in the first place.

Microsoft's Steve Riley

Kemp blamed Microsoft for the current requirement to reboot Windows operating systems after applying patches to the operating system.

"Microsoft's technology is not robust enough to do updates online without requiring a reboot," he said.

Microsoft's Riley also criticised VMware's decision to release its source code to independent software vendors.

"There is no intention at all for Hyper-V to ever incorporate third-party code. That is our code and will remain our code only, much to the chagrin of Gartner who think we should open that up so that people can sell stuff," he said.

Kemp defended VMware's decision to do so on the grounds that it allowed security companies to build greater protection for VMware environments and had helped customers protect themselves from Microsoft's flaws.

"VMware has always been as open as possible with our virtual machine infrastructure. It has allowed vendors to create virtual machines that have their security products inside a special appliance. Just by having that plugged into the hypervisor, virtual machines are automatically protected from buffer overruns and security breaches that normally require some product to run inside the operating system," he said.

"Our open standards towards security will make Microsoft customers operate much better than traditionally or than with a Hyper-V-based solution. At the end of the day, you still have a Windows 2008 framework that needs to be patched and managed and when you introduce a patch system inherent to Windows with 25 years of documented issues and breaches, that introduces instability in a productive environment."