Earlier today, Core Security Technologies issued a security advisory for our Virtual PC (VPC) software. The advisory calls out a proof of concept where the virtual machine monitor allows memory pages above the 2GB level to be read from or written to by user-space programs running within a guest operating system. The advisory explicitly calls into question the effectiveness of many of the security hardening features of Windows, including DEP, SafeSEH, and ASLR. Folks are already starting to ask questions about this advisory, so I thought it would be best to answer them here.
First and foremost, customers should rest assured that this advisory does not affect the security of Windows 7 systems directly. The security safeguards (DEP, ASLR, SafeSEH, etc.) that are in place remain effective at helping protect users from malware on that system. In addition, Our Windows Server virtualization technology, Hyper-V, is also not affected by this advisory. Applications running inside a Hyper-V guest continue to benefit from these same security safeguards.
The functionality that Core calls out is not an actual vulnerability per se. Instead, they are describing a way for an attacker to more easily exploit security vulnerabilities that must already be present on the system. It's a subtle point, but one that folks should really understand. The protection mechanisms that are present in the Windows kernel are rendered less effective inside of a virtual machine as opposed to a physical machine. There is no vulnerability introduced, just a loss of certain security protection mechanisms.
The functionality described only affects the guest operating system that is running within a Virtual PC environment. In practice, the guest operating system in a Virtual PC environment is typically Windows XP as part of Windows XP Mode. Of the safeguards Core calls out, it should be noted that only DEP is available in Windows XP SP3; Windows XP doesn't contain SafeSEH or ASLR. The net result? An attacker can only exploit a vulnerable application running "inside" the guest virtual machine on Windows XP, rather than Windows 7!
We believe that Windows XP Mode and Windows Virtual PC are great bridging strategies to help customers who have legacy applications get up and running on Windows 7. For those customers who need Windows XP Mode, they should look to install only the required subset of applications that need Windows XP in order to function properly while planning to move those applications to Windows 7 in the future.
One final point, whether the version of Windows you are running is virtualized or running physically on a computer, it's equally important to follow sound security practices. You should make sure your firewall is enabled, that you have anti-virus software installed, and that you keep your software up to date through automatic updates. For more information on how to protect your PC, visit http://www.microsoft.com/protect/.
More...