Security Firm Warns of Hole in Windows Virtual PC


Security firm Core Security Technologies published a security advisory this week, including proof of concept code, that could let an attacker take control of applications running virtualized in Microsoft's Virtual PC technology which is included in some versions of Windows 7.

Microsoft (NASDAQ: MSFT) acknowledges that the hole is real but questions the severity of the problem.

According to Microsoft, while it may be possible to take over an application running inside a Windows virtual machine, the vulnerability as it stands now is not capable of letting an attacker break out into the host operating system.

"First and foremost, customers should rest assured that this advisory does not affect the security of Windows 7 systems directly," Microsoft spokesperson Paul Cooke said in a post to the Windows Security Blog. Windows 7 contains an "XP Mode" that provides a virtual runtime environment for XP applications that otherwise might not run under the new operating system.

Core claimed in its advisory to have discovered the hole in Windows' virtualization technology last summer and notified Microsoft at the time.

After months of back and forth about the problem, however, Core finally got tired of waiting for the software giant to act.

"Using XP Mode, Windows 7 users can run Windows applications on a virtualized Windows XP SP3 operating system directly from the Windows 7 desktop but in doing so they may be inadvertently increasing their risk due to a bug that makes standard Windows anti-exploitation mechanisms ineffective," said Core's advisory.

The vulnerability, Core said, is located in Virtual PC's memory management Virtual Machine Monitor. It lets a clever hacker bypass security features such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) put in to minimize the possibility of that occurring.

"Thus applications with bugs that are not exploitable when running in non-virtualized operating systems become exploitable if running within a guest OS of Virtual PC," Core's advisory said.

Windows Virtual PC, Windows 7 XP Mode, Virtual PC 2007 and Virtual PC 2007 Service Pack 1 (SP1), as well as Virtual Server 2005 are all at risk, according to Core. Microsoft's Hyper-V virtualization technology in Windows Server 2008 is not affected.

"The guest operating system in a Virtual PC environment is typically Windows XP as part of Windows XP Mode ... [but] only DEP is available in Windows XP SP3 [and] Windows XP doesn't contain ASLR," Cook's post said. The net result, he said, is that an attacker can only exploit a vulnerable application running "inside" the guest virtual machine which is running on Windows XP, rather than Windows 7.

Additionally, an attacker cannot exploit the vulnerability remotely, according to Core's advisory -- meaning an attacker must have physical access to the computer running the virtualized application.

Microsoft has not said whether it will issue a patch for the problem. Beyond the blog post, the company declined to comment.

Stuart J. Johnston is a contributing writer at, the news service of, the network for technology professionals.