Microsoft Denies Virtual PC Vulnerability

Core Securities, a company which develops vulnerability testing software, has discovered a major flaw in Microsoft's virtualisation software which might allow hackers to exploit virtual Windows systems.

Interestingly, Microsoft, which was informed about the flaw 6 months ago, refuses to acknowledge the security hole as a critical one.

According to a report released by the company, Microsoft's Virtual PC, Virtual PC 2007 and Virtual 2005 are affected by a major security bug which might allow hackers to penetrate the security measures set-up by Microsoft including DEP (data execution prevention) and ASRL (address space layout randomization).

However, the security company also mentioned that the Windows flaw is only limited to the virtual versions, which would not have the vulnerability in the first place, if they were running on actual computer hardware.

Commenting on the issue, Ivan Arce, CTO of Core Security, said in a statement that “They said that they would address it with an update or in a service pack some time in the future. We believe this needs to be fixed sooner.”

Microsoft representatives lashed out at the report released by the company, claiming that the vulnerability is not a big one and added that the company was merely describing ways to hack into a virtual Windows PC and not an actual flaw.

Our Comments

Virtualisation is an exciting technology but brings its own set of problems and issues especially as it resides in another OS or platform most of the time. Let's see whether Microsoft will be releasing a patch in April's Patch Tuesday to close the vulnerability.

Related Links

Microsoft, security vendor clash over Virtual PC bug

(Computer World)

MS virtualisation bug dodges defences

(The Register)

Headlines: News to know: server chips from Intel, Microsoft Mix National Broadband Plan

(Associated News)

Microsoft Disputes Virtual PC Vulnerability Report

(E Week)