Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Fri 01 Aug 2014, 07:57
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Vulnerability in MS Virtual PC exploits the unexploitable
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [6 Posts]  
Author Message
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 10954
Location: Arizona USA

PostPosted: Wed 17 Mar 2010, 13:09    Post subject:  Vulnerability in MS Virtual PC exploits the unexploitable  

http://blogs.zdnet.com/security/?p=5742&tag=nl.e539
Quote:
The flaw, discovered by Core exploit writer Nicolas Economou, exists in the memory management of the Virtual Machine Monitor. It causes memory pages mapped above the 2GB level to be accessed with read or read/write privileges by user-space programs running in a Guest operating system.

Affected software includes Microsoft Virtual PC 2007, Virtual PC 2007 SP1, Windows Virtual PC and Microsoft Virtual Server 2005. On Windows 7 the XP Mode feature is also affected by the vulnerability.

In particular, a vulnerable application running in Windows XP Mode on Windows 7 may be exploitable in a virtual environment, while the same application running directly on a Windows XP SP3 operating system is not.
Back to top
View user's profile Send private message 
DMcCunney

Joined: 02 Feb 2009
Posts: 897

PostPosted: Wed 17 Mar 2010, 15:36    Post subject: Re: Vulnerability in MS Virtual PC exploits the unexploitable  

Flash wrote:
http://blogs.zdnet.com/security/?p=5742&tag=nl.e539
Quote:
The flaw, discovered by Core exploit writer Nicolas Economou, exists in the memory management of the Virtual Machine Monitor. It causes memory pages mapped above the 2GB level to be accessed with read or read/write privileges by user-space programs running in a Guest operating system.

Affected software includes Microsoft Virtual PC 2007, Virtual PC 2007 SP1, Windows Virtual PC and Microsoft Virtual Server 2005. On Windows 7 the XP Mode feature is also affected by the vulnerability.

In particular, a vulnerable application running in Windows XP Mode on Windows 7 may be exploitable in a virtual environment, while the same application running directly on a Windows XP SP3 operating system is not.

<yawn>

I don't know anyone in a commercial environment using Microsoft Virtual PC. They all use VMWare or Xen. (And do so, among other reasons, because they want to virtualize OSes that aren't Windows.)

Individual users may run Virtual PC to run multiple Windows flavors, but their risk will be vastly less. Just what exploits are likely to affect them? If the user is savvy enough to run virtualization technology to begin with, chances are good they are behind firewalls, running A/V, etc.

You worry about such things when you have public facing servers and the possibility of a user accessing a vulnerable server and committing mayhem. If you're an individual user, that is unlikely to be the case. If you're a business running public facing servers, MS Virtual PC isn't what you use.

The question is any such case is "Yes, it's a flaw. How likely is it to be exploited?" For a lot of things like this, the answer is "Not likely enough to be worth extra time and effort to try to fix now. It can wait till the next actual release."

I suspect that's Microsoft's take, and I think I agree. The security outfit will of course issue a press release out of public duty, because they get paid by clients to identify security issues and propose fixes, and want to demonstrate how on the ball they are. If one new client contacts them because they saw the release and decides to retain them as security advisers, the effort was well worth it.
______
Dennis
Back to top
View user's profile Send private message 
Q5sys


Joined: 11 Dec 2008
Posts: 1047

PostPosted: Thu 18 Mar 2010, 13:26    Post subject: Re: Vulnerability in MS Virtual PC exploits the unexploitable  

DMcCunney wrote:
The question is any such case is "Yes, it's a flaw. How likely is it to be exploited?" For a lot of things like this, the answer is "Not likely enough to be worth extra time and effort to try to fix now. It can wait till the next actual release."


Knowing MS, it wont be worth the time and effort. When the SMB flaw was reintroduced into Windows Vista and 7. (yes I mean re-introduced, MS fixed it under 2000), it was a almost a full month before MS's patch release date. And even though it allowed Remote BSOD'ing of computers, MS felt it wasnt important enough to roll out an immediate patch. If remotely BSOD'ing isnt important enough for an immediate patch... I doubt this will be.
Back to top
View user's profile Send private message 
DMcCunney

Joined: 02 Feb 2009
Posts: 897

PostPosted: Sat 03 Apr 2010, 22:10    Post subject: Re: Vulnerability in MS Virtual PC exploits the unexploitable  

Q5sys wrote:
DMcCunney wrote:
The question is any such case is "Yes, it's a flaw. How likely is it to be exploited?" For a lot of things like this, the answer is "Not likely enough to be worth extra time and effort to try to fix now. It can wait till the next actual release."


Knowing MS, it wont be worth the time and effort. When the SMB flaw was reintroduced into Windows Vista and 7. (yes I mean re-introduced, MS fixed it under 2000), it was a almost a full month before MS's patch release date. And even though it allowed Remote BSOD'ing of computers, MS felt it wasnt important enough to roll out an immediate patch. If remotely BSOD'ing isnt important enough for an immediate patch... I doubt this will be.

How many systems were "remotely BSOD'd"?

I'd be more annoyed about the flaw being re-introduced than by the moth between re-introduction and patch. 2K, XP, Vista, and Win7 are all built on NT code. You would think the fix in 2K would have persisted.

But MS is a big company, with associated slow reaction times. (Think of the dinosaur...) Someone reports something like this, and first they have to investigate to confirm it is indeed a bug, than they have to decide who should make the fix, and then, finally, whoever draws the short straw must figure out how to make the fix, which must go through QA and regression tests before being released. Given the bureaucratic structure of Microsoft, and the number of people who get to piss in any soup before it gets out the door, a month between reintroduction of flaw and patch to fix it sounds like relatively quick work.
______
Dennis
Back to top
View user's profile Send private message 
Q5sys


Joined: 11 Dec 2008
Posts: 1047

PostPosted: Sun 04 Apr 2010, 03:32    Post subject: Re: Vulnerability in MS Virtual PC exploits the unexploitable  

DMcCunney wrote:
How many systems were "remotely BSOD'd"?

I'd be more annoyed about the flaw being re-introduced than by the moth between re-introduction and patch. 2K, XP, Vista, and Win7 are all built on NT code. You would think the fix in 2K would have persisted.

But MS is a big company, with associated slow reaction times. (Think of the dinosaur...) Someone reports something like this, and first they have to investigate to confirm it is indeed a bug, than they have to decide who should make the fix, and then, finally, whoever draws the short straw must figure out how to make the fix, which must go through QA and regression tests before being released. Given the bureaucratic structure of Microsoft, and the number of people who get to piss in any soup before it gets out the door, a month between reintroduction of flaw and patch to fix it sounds like relatively quick work.
______
Dennis


How many... thats not something I have any idea about. (and if I did it probably wouldnt be legally advisable to state so on a forum thats being cached by google for all eternity) From what i've heard, MS was informed of it but never addressed it. Finally it was publicly released and then MS decided they'd eventually fix it. Which to me is a typical response of MS. Know something is an issue but not fix it until it becomes public knowledge and they start getting flogged about it. IE, only fix an issue once its starts to become a PR issue.

The reason I dont think a month is reasonable time to fix the issue is that the fix was already known. And they fixed it the same way they did the first time it was an issue. It shouldnt take a month to fix a problem that A) you have known about and B) have already fixed in the past the same way.

I understand that massive companies have a ton of red tape to do anything. But for as long as MS has been around, and as many times as they've been round the issue of fixing flaws, they should have managed to find a way to rapidly address security flaws. The fact that they havent in all these years, to me... is a symptom of a larger issue. Whether that issue is apathy, bureaucracy, or just plain bad management; I dont know.
Back to top
View user's profile Send private message 
DMcCunney

Joined: 02 Feb 2009
Posts: 897

PostPosted: Sun 04 Apr 2010, 22:16    Post subject: Re: Vulnerability in MS Virtual PC exploits the unexploitable  

Q5sys wrote:
DMcCunney wrote:
How many systems were "remotely BSOD'd"?

I'd be more annoyed about the flaw being re-introduced than by the moth between re-introduction and patch. 2K, XP, Vista, and Win7 are all built on NT code. You would think the fix in 2K would have persisted.

But MS is a big company, with associated slow reaction times. (Think of the dinosaur...) Someone reports something like this, and first they have to investigate to confirm it is indeed a bug, than they have to decide who should make the fix, and then, finally, whoever draws the short straw must figure out how to make the fix, which must go through QA and regression tests before being released. Given the bureaucratic structure of Microsoft, and the number of people who get to piss in any soup before it gets out the door, a month between reintroduction of flaw and patch to fix it sounds like relatively quick work.

How many... thats not something I have any idea about. (and if I did it probably wouldnt be legally advisable to state so on a forum thats being cached by google for all eternity) From what i've heard, MS was informed of it but never addressed it.

I wouldn't worry about the legalities. If you can state verifiable facts, it's not illegal.

I doubt there were many, as it would have made a fairly big splash, and the bad press would have forced MS's hand. Major corporate customers would have been all over them about it.

Quote:
Finally it was publicly released and then MS decided they'd eventually fix it. Which to me is a typical response of MS. Know something is an issue but not fix it until it becomes public knowledge and they start getting flogged about it. IE, only fix an issue once its starts to become a PR issue.

Not really. See my comment above about how serious an issue it actually is when a vulnerability is revealed. MS releases critical patches on a regular basis, and they aren't all fixes to headline getting flaws.

Quote:
The reason I dont think a month is reasonable time to fix the issue is that the fix was already known. And they fixed it the same way they did the first time it was an issue. It shouldnt take a month to fix a problem that A) you have known about and B) have already fixed in the past the same way.

Agreed that it shouldn't take long to make the actual fix, especially since both the problem and the solution were known.

Deciding they indeed should make the fix, and the time frame in which they need to do it is another matter.

Quote:
I understand that massive companies have a ton of red tape to do anything. But for as long as MS has been around, and as many times as they've been round the issue of fixing flaws, they should have managed to find a way to rapidly address security flaws. The fact that they havent in all these years, to me... is a symptom of a larger issue. Whether that issue is apathy, bureaucracy, or just plain bad management; I dont know.

How rapidly they address issues in in part predicated on the severity of the issue (or at least, how severe they think it is...) They have been known to issue off-cycle patches for really severe stuff.

But what I know of their build and release process reminds me a bit of Hollywood making motion pictures: it's a bit of a miracle anything gets out the door, and it's no surprise what does get out is often disappointing.
______
Dennis
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [6 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0868s ][ Queries: 12 (0.0036s) ][ GZIP on ]