Vulnerability in MS Virtual PC exploits the unexploitable

For discussions about security.
Post Reply
Message
Author
User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

Vulnerability in MS Virtual PC exploits the unexploitable

#1 Post by Flash »

http://blogs.zdnet.com/security/?p=5742&tag=nl.e539
The flaw, discovered by Core exploit writer Nicolas Economou, exists in the memory management of the Virtual Machine Monitor. It causes memory pages mapped above the 2GB level to be accessed with read or read/write privileges by user-space programs running in a Guest operating system.

Affected software includes Microsoft Virtual PC 2007, Virtual PC 2007 SP1, Windows Virtual PC and Microsoft Virtual Server 2005. On Windows 7 the XP Mode feature is also affected by the vulnerability.

In particular, a vulnerable application running in Windows XP Mode on Windows 7 may be exploitable in a virtual environment, while the same application running directly on a Windows XP SP3 operating system is not.

DMcCunney
Posts: 889
Joined: Tue 03 Feb 2009, 00:45

Re: Vulnerability in MS Virtual PC exploits the unexploitable

#2 Post by DMcCunney »

Flash wrote:http://blogs.zdnet.com/security/?p=5742&tag=nl.e539
The flaw, discovered by Core exploit writer Nicolas Economou, exists in the memory management of the Virtual Machine Monitor. It causes memory pages mapped above the 2GB level to be accessed with read or read/write privileges by user-space programs running in a Guest operating system.

Affected software includes Microsoft Virtual PC 2007, Virtual PC 2007 SP1, Windows Virtual PC and Microsoft Virtual Server 2005. On Windows 7 the XP Mode feature is also affected by the vulnerability.

In particular, a vulnerable application running in Windows XP Mode on Windows 7 may be exploitable in a virtual environment, while the same application running directly on a Windows XP SP3 operating system is not.
<yawn>

I don't know anyone in a commercial environment using Microsoft Virtual PC. They all use VMWare or Xen. (And do so, among other reasons, because they want to virtualize OSes that aren't Windows.)

Individual users may run Virtual PC to run multiple Windows flavors, but their risk will be vastly less. Just what exploits are likely to affect them? If the user is savvy enough to run virtualization technology to begin with, chances are good they are behind firewalls, running A/V, etc.

You worry about such things when you have public facing servers and the possibility of a user accessing a vulnerable server and committing mayhem. If you're an individual user, that is unlikely to be the case. If you're a business running public facing servers, MS Virtual PC isn't what you use.

The question is any such case is "Yes, it's a flaw. How likely is it to be exploited?" For a lot of things like this, the answer is "Not likely enough to be worth extra time and effort to try to fix now. It can wait till the next actual release."

I suspect that's Microsoft's take, and I think I agree. The security outfit will of course issue a press release out of public duty, because they get paid by clients to identify security issues and propose fixes, and want to demonstrate how on the ball they are. If one new client contacts them because they saw the release and decides to retain them as security advisers, the effort was well worth it.
______
Dennis

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

Re: Vulnerability in MS Virtual PC exploits the unexploitable

#3 Post by Q5sys »

DMcCunney wrote:The question is any such case is "Yes, it's a flaw. How likely is it to be exploited?" For a lot of things like this, the answer is "Not likely enough to be worth extra time and effort to try to fix now. It can wait till the next actual release."
Knowing MS, it wont be worth the time and effort. When the SMB flaw was reintroduced into Windows Vista and 7. (yes I mean re-introduced, MS fixed it under 2000), it was a almost a full month before MS's patch release date. And even though it allowed Remote BSOD'ing of computers, MS felt it wasnt important enough to roll out an immediate patch. If remotely BSOD'ing isnt important enough for an immediate patch... I doubt this will be.

DMcCunney
Posts: 889
Joined: Tue 03 Feb 2009, 00:45

Re: Vulnerability in MS Virtual PC exploits the unexploitable

#4 Post by DMcCunney »

Q5sys wrote:
DMcCunney wrote:The question is any such case is "Yes, it's a flaw. How likely is it to be exploited?" For a lot of things like this, the answer is "Not likely enough to be worth extra time and effort to try to fix now. It can wait till the next actual release."
Knowing MS, it wont be worth the time and effort. When the SMB flaw was reintroduced into Windows Vista and 7. (yes I mean re-introduced, MS fixed it under 2000), it was a almost a full month before MS's patch release date. And even though it allowed Remote BSOD'ing of computers, MS felt it wasnt important enough to roll out an immediate patch. If remotely BSOD'ing isnt important enough for an immediate patch... I doubt this will be.
How many systems were "remotely BSOD'd"?

I'd be more annoyed about the flaw being re-introduced than by the moth between re-introduction and patch. 2K, XP, Vista, and Win7 are all built on NT code. You would think the fix in 2K would have persisted.

But MS is a big company, with associated slow reaction times. (Think of the dinosaur...) Someone reports something like this, and first they have to investigate to confirm it is indeed a bug, than they have to decide who should make the fix, and then, finally, whoever draws the short straw must figure out how to make the fix, which must go through QA and regression tests before being released. Given the bureaucratic structure of Microsoft, and the number of people who get to piss in any soup before it gets out the door, a month between reintroduction of flaw and patch to fix it sounds like relatively quick work.
______
Dennis

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

Re: Vulnerability in MS Virtual PC exploits the unexploitable

#5 Post by Q5sys »

DMcCunney wrote:How many systems were "remotely BSOD'd"?

I'd be more annoyed about the flaw being re-introduced than by the moth between re-introduction and patch. 2K, XP, Vista, and Win7 are all built on NT code. You would think the fix in 2K would have persisted.

But MS is a big company, with associated slow reaction times. (Think of the dinosaur...) Someone reports something like this, and first they have to investigate to confirm it is indeed a bug, than they have to decide who should make the fix, and then, finally, whoever draws the short straw must figure out how to make the fix, which must go through QA and regression tests before being released. Given the bureaucratic structure of Microsoft, and the number of people who get to piss in any soup before it gets out the door, a month between reintroduction of flaw and patch to fix it sounds like relatively quick work.
______
Dennis
How many... thats not something I have any idea about. (and if I did it probably wouldnt be legally advisable to state so on a forum thats being cached by google for all eternity) From what i've heard, MS was informed of it but never addressed it. Finally it was publicly released and then MS decided they'd eventually fix it. Which to me is a typical response of MS. Know something is an issue but not fix it until it becomes public knowledge and they start getting flogged about it. IE, only fix an issue once its starts to become a PR issue.

The reason I dont think a month is reasonable time to fix the issue is that the fix was already known. And they fixed it the same way they did the first time it was an issue. It shouldnt take a month to fix a problem that A) you have known about and B) have already fixed in the past the same way.

I understand that massive companies have a ton of red tape to do anything. But for as long as MS has been around, and as many times as they've been round the issue of fixing flaws, they should have managed to find a way to rapidly address security flaws. The fact that they havent in all these years, to me... is a symptom of a larger issue. Whether that issue is apathy, bureaucracy, or just plain bad management; I dont know.

DMcCunney
Posts: 889
Joined: Tue 03 Feb 2009, 00:45

Re: Vulnerability in MS Virtual PC exploits the unexploitable

#6 Post by DMcCunney »

Q5sys wrote:
DMcCunney wrote:How many systems were "remotely BSOD'd"?

I'd be more annoyed about the flaw being re-introduced than by the moth between re-introduction and patch. 2K, XP, Vista, and Win7 are all built on NT code. You would think the fix in 2K would have persisted.

But MS is a big company, with associated slow reaction times. (Think of the dinosaur...) Someone reports something like this, and first they have to investigate to confirm it is indeed a bug, than they have to decide who should make the fix, and then, finally, whoever draws the short straw must figure out how to make the fix, which must go through QA and regression tests before being released. Given the bureaucratic structure of Microsoft, and the number of people who get to piss in any soup before it gets out the door, a month between reintroduction of flaw and patch to fix it sounds like relatively quick work.
How many... thats not something I have any idea about. (and if I did it probably wouldnt be legally advisable to state so on a forum thats being cached by google for all eternity) From what i've heard, MS was informed of it but never addressed it.
I wouldn't worry about the legalities. If you can state verifiable facts, it's not illegal.

I doubt there were many, as it would have made a fairly big splash, and the bad press would have forced MS's hand. Major corporate customers would have been all over them about it.
Finally it was publicly released and then MS decided they'd eventually fix it. Which to me is a typical response of MS. Know something is an issue but not fix it until it becomes public knowledge and they start getting flogged about it. IE, only fix an issue once its starts to become a PR issue.
Not really. See my comment above about how serious an issue it actually is when a vulnerability is revealed. MS releases critical patches on a regular basis, and they aren't all fixes to headline getting flaws.
The reason I dont think a month is reasonable time to fix the issue is that the fix was already known. And they fixed it the same way they did the first time it was an issue. It shouldnt take a month to fix a problem that A) you have known about and B) have already fixed in the past the same way.
Agreed that it shouldn't take long to make the actual fix, especially since both the problem and the solution were known.

Deciding they indeed should make the fix, and the time frame in which they need to do it is another matter.
I understand that massive companies have a ton of red tape to do anything. But for as long as MS has been around, and as many times as they've been round the issue of fixing flaws, they should have managed to find a way to rapidly address security flaws. The fact that they havent in all these years, to me... is a symptom of a larger issue. Whether that issue is apathy, bureaucracy, or just plain bad management; I dont know.
How rapidly they address issues in in part predicated on the severity of the issue (or at least, how severe they think it is...) They have been known to issue off-cycle patches for really severe stuff.

But what I know of their build and release process reminds me a bit of Hollywood making motion pictures: it's a bit of a miracle anything gets out the door, and it's no surprise what does get out is often disappointing.
______
Dennis

Post Reply