General discussion


Speed in decision making?

By Deadly Ernest ·
OK, I'll admit I've been waiting for someone else to start a thread on this, but I've given up waiting. here is a great example of the speed in which some companies make decisions. The article was on ZDnet a few days ago. here's the URL and the main text is further below (I hope they don't ping me about it, but this is the same corp, so I don't think so):

Now, in the quote below I'm a bit concerned about the fact it took Microsoft from August to March to decide they won't do anything about this and tell the people who found it. And people wonder why their systems are not protected against attack - that's seven months of vulnerability before the company even decides to ignore the issue, and then they say they'll ignore it and not fix it.

This sure shows how committed Microsoft is to security within Windows.

Edit to add these questions:

1. Do you think this is an appropriate time frame to make a decision on a security issue?

2. Do you think this is an appropriate response to such a security issue?


An exploit writer at Core Security Technologies has discovered a serious vulnerability that exposes users of Microsoft?s Virtual PC virtualization software to malicious hacker attacks.

The vulnerability, which is unpatched, essentially allows an attacker to bypass several major security mitigations ? Data Execution Prevention (DEP), Safe Exception Handlers (SafeSEH) and Address Space Layout Randomization (ASLR) ? to exploit the Windows operating system.

As a result, some applications with bugs that are not exploitable when running in a not-virtualized operating system are rendered exploitable if running within a guest OS in Virtual PC, according to Ivan Arce, chief technology officer at Core.

The flaw, discovered by Core exploit writer Nicolas Economou, exists in the memory management of the Virtual Machine Monitor. It causes memory pages mapped above the 2GB level to be accessed with read or read/write privileges by user-space programs running in a Guest operating system.follow Ryan Naraine on twitter

Affected software includes Microsoft Virtual PC 2007, Virtual PC 2007 SP1, Windows Virtual PC and Microsoft Virtual Server 2005. On Windows 7 the XP Mode feature is also affected by the vulnerability.

In particular, a vulnerable application running in Windows XP Mode on Windows 7 may be exploitable in a virtual environment, while the same application running directly on a Windows XP SP3 operating system is not.

Microsoft Hyper-V technology is not affected by this problem.

Arce said Core reported the flaw to Microsoft last August ? more than seven months ago ? but after back-and-forth discussions, the company decided it would not issue a security bulletin to provide patches.

?They [Microsoft] said that they agreed with our assessment of the problem, that it makes DEP/SafeSEH and ASLR bypassable. However, they say it doesn?t meet their criteria for a security bulletin and that they?ll fix in a service pack or a future product update,? Arce explained in a telephone interview from his office in Buenos Aires, Argentina.

?Given that that?s their decision, we feel we have to inform people of the risk so they can make informed decisions,? he added. ?We consider this a vulnerability that needs to be fixed.?

Microsoft officials declined to comment until they had a chance to review Core?s advisory on the issue.

Microsoft?s Virtual PC hypervisor is an element of the company?s Windows Virtual PC package, which allows users to run multiple Windows environments on a single computer. The hypervisor is a key component of Windows 7 XP Mode, a feature in Microsoft?s latest desktop operating system aimed at easing the migration path into the new OS for users and enterprises that need to run legacy Windows XP applications on its native OS.

With this discovery, Arce said it may transform a certain type of common software bug into exploitable vulnerabilities. ?Certain vulnerabilities that have been dismissed as non-exploitable may now be exploitable on virtualized environments,? he said. ?Let?s say someone found a vulnerability 2-3 years ago in a virtual application. They did the analysis and determined it was not exploitable because it only caused a crash in the client app. Now, you can bypass DEP and SafeSEH and that same vulnerability or a large list of vulnerabilities may be exploitable on on virtualized systems.?

Core recommends that affected users run all mission critical Windows applications on native iron or use virtualization technologies that aren?t affected by this vulnerability.

Windows operating systems and applications that must run virtualized using Virtual PC technologies should be kept at the highest patch level possible and monitored to detect exploitation attempts.

?This particular case provides a good example of how mechanisms designed to improve an operating system?s security over many years can eventually become ineffective when some of the basic underlying aspects of their operation are changed by virtualization technology,? Arce said.

end quote

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Well, it's been over a month and no comments or answers to the

by Deadly Ernest In reply to Speed in decision making?

two questions, so I guess everyone thinks the actions of Microsoft were fully acceptable and to be expected.

Collapse -

Good thing

by santeewelding In reply to Well, it's been over a mo ...

It's only a guess, and a flimsy one at that.

Collapse -

That's bad...

by AnsuGisalas In reply to Speed in decision making?

But somehow not surprising. SNAFU?

I think the fix is to put a "dump to public"-date on the security report, like this: "This report will expire in seven (7) days, after which a full description of the vulnerability will be turned over to the public".
That should make them scurry. They can afford to flip off the good guys, not the bad guys.

Related Discussions

Related Forums