Virtual PC Hypervisor vulnerability remains unpatched

Core Security issued an advisory disclosing a vulnerability that could affect large numbers of organizations and consumers using Microsoft’s Virtual PC virtualization software and leave them open to potential attack.

Microsoft’s Virtual PC hypervisor is an element of the company’s Windows Virtual PC package, which allows users to run multiple Windows environments on a single computer. The hypervisor is a key component of Windows 7 XP Mode, a feature in Microsoft’s latest desktop operating system aimed at easing the migration path into the new OS for users and enterprises that need to run legacy Windows XP applications on its native OS.

A Core Security Exploit Writer working with CoreLabs found that affected versions of Virtual PC hypervisor contain a vulnerability that may allow attackers to bypass several security mechanisms of the Windows operating system to compromise vulnerable virtualized systems. The issue may also transform a certain type of common software bug into exploitable vulnerabilities.

Affected versions of the product include: Microsoft Virtual PC 2007, Virtual PC 2007 SP1, Windows Virtual PC and Microsoft Virtual Server 2005. On Windows 7 the XP Mode feature is affected by the vulnerability.

Microsoft Hyper-V technology is not affected by this problem.

The issue was reported to Microsoft in August of 2009. The vendor indicated that it plans to solve the problem in future updates to the vulnerable products.

We recommend affected users to run all mission critical Windows applications on native iron or use virtualization technologies that aren’t affected by this bug. Windows operating systems and applications that must run virtualized using Virtual PC technologies should be kept at the highest patch level possible and monitored to detect exploitation attempts.

Vulnerability specifics

Windows Virtual PC and Microsoft Virtual PC 2007 are desktop systems virtualization applications from Microsoft that are used to run one or many virtual hosts on a single physical system. Windows Virtual PC is used to run Windows XP Mode applications directly from a Windows 7 desktop.

In Microsoft Virtual PC and Windows Virtual PC, the Virtual Machine Monitor (VMM) is responsible for mediating access to hardware resources and devices from operating systems running in a virtualized environment. A vulnerability found in the memory management of the Virtual Machine Monitor makes it such that memory pages mapped above the 2GB level can be accessed with read or read/write privileges by user-space programs running in a Guest operating system.

By leveraging this vulnerability it is possible to bypass several security hardening mechanisms of Windows operating systems, such as Data Execution Prevention (DEP), Safe Exception Handlers (SafeSEH) and Address Space Layout Randomization (ASLR). As a result, some applications with bugs that are not exploitable when running in a not-virtualized operating system are rendered exploitable if running within a guest OS in Virtual PC.

In particular, a vulnerable application running in Windows XP Mode on Windows 7 may be exploitable in a virtual environment, while the same application running directly on a Windows XP SP3 operating system is not.

The vulnerability invalidates a basic assumption about the memory management operations of the Windows operating system on which several security hardening mechanisms rely for correct operation. As a result, those defense-in-depth mechanisms should no longer be considered effective enough to prevent exploitation of un-patched vulnerabilities in Windows applications running on systems virtualized using the Virtual PC hypervisor.

Additionally, software bugs that may have been dismissed as not security-relevant due to being not exploitable and for which security patches may not be readily available could become exploitable vulnerabilities due to the Virtual PC hypervisor bug.