Memory Protection Issue in Microsoft Virtual PC Hypervisor Software
May Leave Systems Open to Infiltration
BOSTON, MA - Mar. 16, 2010 - Core Security Technologies, provider of the CORE IMPACT family of comprehensive enterprise security testing solutions, today issued an advisory disclosing a vulnerability that could affect large numbers of organizations and consumers using Microsoft's Virtual PC virtualization software and leave them open to potential attack.
Microsoft's Virtual PC hypervisor is an element of the company's Windows Virtual PC package, which allows users to run multiple Windows environments on a single computer. The hypervisor is a key component of Windows 7 XP Mode, a feature in Microsoft's latest desktop operating system aimed at easing the migration path into the new OS for users and enterprises that need to run legacy Windows XP applications on its native OS.
A Core Security Exploit Writer working with CoreLabs, the research arm of Core Security Technologies, found that affected versions of Virtual PC hypervisor contain a vulnerability that may allow attackers to bypass several security mechanisms of the Windows operating system to compromise vulnerable virtualized systems. The issue may also transform a certain type of common software bug into exploitable vulnerabilities.
Affected versions of the product include: Microsoft Virtual PC 2007, Virtual PC 2007 SP1, Windows Virtual PC and Microsoft Virtual Server 2005. On Windows 7 the XP Mode feature is affected by the vulnerability.
Microsoft Hyper-V technology is not affected by this problem.
The issue was reported to Microsoft in August of 2009. The vendor indicated that it plans to solve the problem in future updates to the vulnerable products.
We recommend affected users to run all mission critical Windows applications on native iron or use virtualization technologies that aren't affected by this bug. Windows operating systems and applications that must run virtualized using Virtual PC technologies should be kept at the highest patch level possible and monitored to detect exploitation attempts.
"Virtualization is an area that offers tremendous promise to the entire computing world, but it must be remembered that the technologies that enable this process may also introduce potential risks that previously didn't exist," said Ivan Arce, CTO of Core Security Technologies. "This particular case provides a good example of how mechanisms designed to improve an operating system's security over many years can eventually become ineffective when some of the basic underlying aspects of their operation are changed by virtualization technology".
Nicolas Economou, a Core Security Exploit Writer working with CoreLabs, is credited with discovering the Virtual PC Hypervisor vulnerability.
Windows Virtual PC and Microsoft Virtual PC 2007 are desktop systems virtualization applications from Microsoft that are used to run one or many virtual hosts on a single physical system. Windows Virtual PC is used to run Windows XP Mode applications directly from a Windows 7 desktop.
In Microsoft Virtual PC and Windows Virtual PC, the Virtual Machine Monitor (VMM) is responsible for mediating access to hardware resources and devices from operating systems running in a virtualized environment. A vulnerability found in the memory management of the Virtual Machine Monitor makes it such that memory pages mapped above the 2GB level can be accessed with read or read/write privileges by user-space programs running in a Guest operating system.
By leveraging this vulnerability it is possible to bypass several security hardening mechanisms of Windows operating systems, such as Data Execution Prevention (DEP), Safe Exception Handlers (SafeSEH) and Address Space Layout Randomization (ASLR). As a result, some applications with bugs that are not exploitable when running in a not-virtualized operating system are rendered exploitable if running within a guest OS in Virtual PC.
In particular, a vulnerable application running in Windows XP Mode on Windows 7 may be exploitable in a virtual environment, while the same application running directly on a Windows XP SP3 operating system is not.
The vulnerability invalidates a basic assumption about the memory management operations of the Windows operating system on which several security hardening mechanisms rely for correct operation. As a result, those defense-in-depth mechanisms should no longer be considered effective enough to prevent exploitation of un-patched vulnerabilities in Windows applications running on systems virtualized using the Virtual PC hypervisor. Additionally, software bugs that may have been dismissed as not security-relevant due to being not exploitable and for which security patches may not be readily available could become exploitable vulnerabilities due to the Virtual PC hypervisor bug.
For more information on this vulnerability and the systems affected, please visit:
CoreLabs, the research center of Core Security Technologies is charged with anticipating the future needs and requirements for information security technologies. Research is conducted in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing and cryptography. Results from these efforts include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/.
About Core Security Technologies
Core Security Technologies provides IT security executives with comprehensive security testing and measurement of their IT assets by adding real-world actionable intelligence and verification to their IT security management efforts. Our software products build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at 617-399-6980 or on the Web at: http://www.coresecurity.com.
Tim Whitman or Lauren O'Leary