A bug in Microsoft Corp.'s software gives hackers a way to exploit virtual Windows machines which would be attack-proof if they were running on real hardware, a researcher said today.
The flaw is in some of Microsoft's virtualization software, including Windows XP Mode , the free add-on for Windows 7 that lets users of the newer OS run older applications in a virtual machine.
Core Security went public with information about the flaw yesterday, seven months after reporting the problem, because Microsoft declined to patch it. "They don't believe this requires a patch," Ivan Arce, CTO of Boston-based Core Security Technologies, said in an interview today. "They said that they would address it with an update or in a service pack some time in the future. We believe this needs to be fixed sooner."
Microsoft confirmed that it doesn't consider the bug in Virtual PC, Virtual PC 2007 and Virtual Server 2005 a security hole.
"The functionality that Core calls out is not an actual vulnerability per se," said Paul Cooke, a director for Microsoft who manages enterprise security technology in Windows group. "Instead, they are describing a way for an attacker to more easily exploit security vulnerabilities that must already be present on the system," he continued. "It's a subtle point, but one that folks should really understand."
Core and Microsoft don't disagree on the facts, said Arce.
The flaw makes it possible for hackers to bypass several major Windows security defenses, including DEP (data execution prevention) and ASRL (address space layout randomization), that are designed to deflect some types of attacks against Windows XP, Vista and Windows .
But the two companies don't see eye-to-eye on the need for a patch. "We don't agree with Microsoft's decision not to patch," said Arce. "Applications in a virtualized environment are more easily exploitable than if they were running on real hardware. This should be fixed."
Hackers could exploit the flaw to attack virtualized copies of Windows that normally would be immune to attack, or at the least, much more difficult to attack, because of mechanisms like DEP and ASLR, Arce said. And the bug could make vulnerabilities once thought trivial, and not worth the trouble to patch, worthy of exploitation. "In light of this bug, vulnerabilities believed to not apply to the virtualized OS and that were dismissed as not exploitable, may, in fact, be exploitable," Arce added.
Arce acknowledged that by publishing its lengthy advisory -- which includes proof-of-concept attack code -- Core was pressuring Microsoft to patch. "We understand that it may be difficult to fix, but this puts pressure on them to do something about it sooner rather than later," he said.
Microsoft's Hyper-V technology, which is employed by Windows Server 2008, is not affected by the flaw, Microsoft and Core agreed.
Although the "guest" operating systems running in virtual machines are at risk, the "host" operating system -- the one powering the actual physical hardware -- is not, Microsoft assured customers. Nor can the flaw be used to jump from one virtualized guest OS on a single machine to another. Even so, Microsoft's Cooke urged users to run virtualized applications on the desktop only when there was no substitute.
"We believe that Windows XP Mode and Windows Virtual PC are great bridging strategies to help customers who have legacy applications get up and running on Windows 7," he said in an entry to the Windows Security blog . "For those customers who need Windows XP Mode, they should look to install only the required subset of applications that need Windows XP in order to function properly while planning to move those applications to Windows 7 in the future."
"Virtualization software is actual software, it's not magic," said Arce. "It's vulnerable, and sometimes bugs in it are not minimal. Should we wait five years -- and I'm exaggerating here -- for Microsoft to fix this, but not tell anyone? Sure, it may take some time for Microsoft to fix this, but there are other virtualization packages people can use that don't have this vulnerability."
Core's advisory spelled that out in plain English, telling users to either run mission-critical Windows applications on non-virtualized systems or to use alternate virtualization software.
Arce credited Nicolas Economou, who works at Core as an exploit writer, with uncovering the bug.
Microsoft has taken the same stance in the past when it's argued that what others classify as security vulnerabilities it believes are nothing of the sort. Nearly three years ago, for instance, the company claimed that Office 2007 crashes reported as flaws were actually part of the suite's design .