Researchers find zero day flaw in Windows Virtual PC

Researchers at Core Security Technologies (CST) say they have uncovered a critical flaw in Windows Virtual PC which would allow hackers to bypass security systems and run code on a guest machine.

Virtual PC 2007, Virtual PC 2007 SP1, Windows Virtual PC, Virtual Server 2005 and Virtual Server 2005 R2 SP1 are effected.

The flaw is in the memory management of the Virtual Machine Monitor and allows the attacker to bypass security mechanisms such as Data Execution Prevention, Safe Structured Error Handling and Address Space Layout Randomisation.

“The vulnerability can be exploited locally within a virtualised system to escalate privileges or remotely for code execution in combination with any client-side bug for which existing patches have not been applied or with any client-side bug for which a fix has not been developed after dismissing the bug as not exploitable or of low priority,” said the researchers in an advisory.

“The vulnerability does not seem usable to escape from a virtualised OS (guest) to execute code in the context of the non-virtualised OS (host).”

Microsoft was made aware of the problem seven months ago but will not be issuing a patch, saying it will wait until a service pack is released before plugging the hole. As a result CST have gone public.

“The functionality that Core calls out is not an actual vulnerability per se. Instead, they are describing a way for an attacker to more easily exploit security vulnerabilities that must already be present on the system,” said Microsoft in a blog posting.

“It's a subtle point, but one that folks should really understand. The protection mechanisms that are present in the Windows kernel are rendered less effective inside of a virtual machine as opposed to a physical machine. There is no vulnerability introduced, just a loss of certain security protection mechanisms.”