7 Month Vulnerability in Windows Virtual PC

Core Security Technologies (CST) has discovered a critical vulnerability in windows virtual PC allows an attacker to bypass security measures and run a malicious code on the guest machine. the concerned platform for this vulnerability is Virtual PC 2007, Virtual PC 2007 SP1, Windows Virtual PC, Virtual Server 2005 and Virtual Server 2005 R2 SP1.

The flaw lies in the management memory level (Virtual Machine Monitor). By leveraging this vulnerability it is possible to bypass security mechanisms of the operating system such as Data Execution Prevention (DEP), Safe Structured Error Handling (SafeSEH) and Address Space Layout Randomization (ASLR) designed to prevent exploitation of security bugs in applications running on Windows operation systems.

Microsoft has been notified about this gap 7 months ago, but it has refused to fix it till the release of next service pack, that made CST to issue the security advisory publically.

Today Microsoft answered on a Blog post that this advisory does not affect the security of Windows 7 systems directly. The security safeguards (DEP, ASLR, SafeSEH, etc.) that are in place remain effective at helping protect users from malware on that system. In addition,Windows Server virtualization technology, Hyper-V, is also not affected by this advisory. Applications running inside a Hyper-V guest continue to benefit from these same security safeguards.

You can read Microsoft complete post here.

make sure you subscribe to my RSS feed!