Microsoft Virtual PC Security Flaw Leaves Users Vulnerable

Researchers at Core Security Technologies issued an advisory March 16 about a new security vulnerability that leaves users of Microsoft’s Virtual PC software open to attack.

According to Core Security, certain versions of the Virtual PC hypervisor contain a vulnerability that allows attackers to bypass Windows security mechanisms, including Data Execution Prevention (DEP) and Address Space Layout Randomization. This means other bugs that are not exploitable when running in a nonvirtualized operating system could be exploited if running within a guest OS in Virtual PC.

“The vulnerability can be exploited locally within a virtualized system to escalate privileges or remotely for code execution in combination with any client-side bug for which existing patches have not been applied or with any client-side bug for which a fix has not been developed after dismissing the bug as not exploitable or of low priority,” Ivan Arce, CTO of Core Security, told eWEEK in an e-mail. “The vulnerability does not seem usable to escape from a virtualized OS (guest) to execute code in the context of the non-virtualized OS (host). Use of the vulnerability to implement covert inter-process communications within the virtualized OS or to establish inter-VM (virtual machine) communication has not been researched in full but is deemed possible.”

According to the advisory, incorrect memory management by the Virtual Machine Monitor (VMM) of Virtual PC makes portions of the VMM worker memory available for read or read/write access to user-space processes running in a Guest OS.

“Leaked memory pages are mapped on the Guest OS at virtual addresses above the 2GB limit which shouldn't be accessible for user-space programs," the advisory reads.

The bug impacts a number of versions of the product, including Microsoft Virtual PC 2007, Virtual PC 2007 SP1, Windows Virtual PC and Microsoft Virtual Server 2005. Because Microsoft's Virtual PC hypervisor is a component of Windows 7 XP Mode, it is impacted as well.

Microsoft’s Hyper-V technology is not affected.

Core Security reported the issue to Microsoft in August 2009, and stated that Microsoft has said it plans to solve the problem in a future update. Microsoft did not respond to an eWEEK request for comment by deadline.

"We recommend affected users to run all mission critical Windows applications on non-virtualized systems or to use virtualization technologies that aren't affected by this bug," Arce said. "Windows operating systems and applications that must run virtualized using Virtual PC technologies should be kept at the highest patch level possible and monitored to detect exploitation attempts."