Virtualization software from Microsoft suffers from a zero-day vulnerability that could allow an attacker to bypass security mechanisms and execute arbitrary code, application security provider Core Security Technologies disclosed Tuesday.
Microsoft, however, is disputing the claims.
The flaw affects Microsoft's Virtual PC, which allows users to run multiple virtualized operating systems on a single computer, Ivan Arce, CTO of Core Security, told SCMagazineUS.com on Tuesday. The problem resides in a component of the Virtual PC package known as the hypervisor, which is responsible for managing the memory allocated and used by virtualized systems.
By leveraging this vulnerability, an attacker could bypass several security mechanisms of the operating system that are designed to prevent exploitation of security bugs in applications running on Windows, according to an advisory from Core Security.
Researchers at the vendor, which makes penetration testing solutions, discovered the vulnerability and reported it to Microsoft last August.
“Since then, we have been going back and forth [with Microsoft], discussing the technical details and whether it needs a security patch or not,” Arce said. “We believe this is an issue that needs to be addressed in a security fix. They [Microsoft] think it's not a problem that merits a security bulletin and fix.”
Microsoft believes the issue is not an actual security bug but is instead is “a way for an attacker to more easily exploit security vulnerabilities that must already be present on the system,” Paul Cooke, a director in the Windows Client group, wrote in a blog post Tuesday.
The “functionality” Core Security described could cause protection mechanisms that are present in Windows to be rendered less effective inside a virtual machine than a physical machine, he said.
“There is no vulnerability introduced, just a loss of certain security protection mechanisms, Cooke said.
The issue does not affect the security of Windows systems directly, Cooke said. It only affects the “guest” operating system running within a Virtual PC environment. In addition, it does not affect Microsoft's Windows Server virtualization technology, Hyper-V.
There are no reports of this vulnerability being used by attackers in the wild, Arce said.
Affected versions are Microsoft Virtual PC 2007, Virtual PC 2007 SP1, Windows Virtual PC and Microsoft Virtual Server 2005.
“We believe the user community should know about the existence of the problem so they can take informed decisions about risk,” Arce said.
Core Security recommended that users run all mission-critical Windows applications on non-virtualized systems or to use virtualization technologies that are not affected by the flaw. Windows operating systems and applications that are virtualized using Microsoft's Virtual PC technologies should be kept up to date with patches and monitored to detect exploitation attempts, the company said.