March 18, 2010, 2:10 PM — A bug in Microsoft's software gives hackers a way to exploit virtual Windows machines which would be attack-proof if they were running on real hardware, a researcher said today.
The flaw is in some of Microsoft's virtualization software, including Windows XP Mode , the free add-on for Windows 7 that lets users of the newer OS run older applications in a virtual machine.
Core Security went public with information about the flaw yesterday, seven months after reporting the problem, because Microsoft declined to patch it. "They don't believe this requires a patch," Ivan Arce, CTO of Core Security, said in an interview today. "They said that they would address it with an update or in a service pack some time in the future. We believe this needs to be fixed sooner."
Microsoft confirmed that it doesn't consider the bug in Virtual PC, Virtual PC 2007 and Virtual Server 2005 a security hole . "The functionality that Core calls out is not an actual vulnerability per se," said Paul Cooke, a director for Microsoft who manages enterprise security technology in Windows group. "Instead, they are describing a way for an attacker to more easily exploit security vulnerabilities that must already be present on the system," he continued. "It's a subtle point, but one that folks should really understand."
Core and Microsoft don't disagree on the facts, said Arce.
The flaw makes it possible for hackers to bypass several major Windows security defenses, including DEP (data execution prevention) and ASRL (address space layout randomization), that are designed to deflect some types of attacks against Windows XP, Vista and Windows 7 .
But the two companies don't see eye-to-eye on the need for a patch. "We don't agree with Microsoft's decision not to patch," said Arce. "Applications in a virtualized environment are more easily exploitable than if they were running on real hardware. This should be fixed."