The popular security firm Core Security yesterday disclosed a serious security vulnerability found in all Microsoft hosted virtualization products, including Virtual Server 2005, Virtual PC 2007 (with and without SP1) and Windows 7 Virtual PC.
While Core Security is using the “hypervisor” terminology, this bug doesn’t affect any bare-metal virtualization platform Microsoft has, including Hyper-V and Hyper-V R2.
The vulnerability affects the virtual machine monitor (VMM) memory management.
It makes memory pages mapped above the 2GB available with read or read/write access to user-space programs running in a Guest operating system. By leveraging this vulnerability it is possible to bypass security mechanisms of the operating system such as Data Execution Prevention (DEP), Safe Structured Error Handling (SafeSEH) and Address Space Layout Randomization (ASLR) designed to prevent exploitation of security bugs in applications running on Windows operation systems.
Core Security even released a proof of concept code, vpdumper, that can be used to demonstrate the vulnerability.
The security vendor as well as worldwide press highlighted how this vulnerability affects Virtual PC platforms, but the most important aspect of this issue seems that it affects Virtual Server.
Over the years in fact virtualization.info collected multiple reports, from several countries, of small businesses that are running Virtual Server 2005 in production, still today, using it to virtualize mission critical applications like databases and mail servers (it doesn’t matter if Microsoft officially supports the scenarios or not).
Those companies may risk much more than single users running stand-alone Virtual PC and Windows 7 Virtual PC to execute spare VMs from time to time.
Core Security informed Microsoft about this vulnerability in August 2009.
It took four months to confirm the vulnerability and involve the product team and other relevant groups.
It took another five months to confirm that the vulnerability doesn’t affect Hyper-V.
At the end Microsoft informed Core Security about its plan to consider mitigating the issue in a future release of the affected products. Which means that at today there’s no fix for this.