Microsoft has re-released a security bulletin and updated software to address the Microsoft Virtual PC and Virtual Server guest operating system privilege escalation vulnerability.
Microsoft Virtual PC and Virtual Server contain a vulnerability that could allow a local attacker to assume control over a virtual system.
This vulnerability is due to errors when the vulnerable applications validate privilege levels within the Virtual Machine Monitor driver.? A local attacker could exploit this vulnerability to gain escalated privileges within the virtual operating system, resulting in the compromise of the virtual host.
Microsoft has confirmed this vulnerability in a security bulletin and released updated software.
The following Microsoft products are affected:
Microsoft Virtual PC 2004 SP1 and prior
Microsoft Virtual PC 2007 SP1 and prior
Microsoft Virtual PC 2007 x64 Edition SP1 and prior
Microsoft Virtual Server 2005 R2 SP1 and prior
Microsoft Virtual Server 2005 R2 x64 Edition SP1 and prior
To?exploit this vulnerability, an attacker requires local access to an affected system and a virtual host, or have the ability to log in locally to a virtual host using remote access such as Remote Desktop or Terminal Services.? The attacker will?likely require either physical access to a vulnerable system or access to trusted network segments.? These requirements?limit the potential source of attacks.
An exploit within a virtual operating system will not likely allow the attacker to affect the host operating system.? Any impact will be limited to the individual virtual host.? However, depending on the functions of the virtual host, a compromise could affect critical operations or expose sensitive information.
The Cisco Applied Intelligence team has created an Applied Mitigation Bulletin to address vulnerabilities that Microsoft disclosed in the July 2009 security bulletin release.? This Cisco bulletin, which assists administrators in identifying or mitigating these vulnerabilities using Cisco devices, is available at the following link: Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin for July 2009
The update available from Microsoft corrects this vulnerability by properly determining privilege levels within the virtual host.
Microsoft has re-released a security bulletin at the following link: MS09-033
A local attacker could exploit this vulnerability to gain elevated privileges within a virtual operating system.? An exploit could allow the attacker to take complete control over the virtual system; however, the attacker will likely be unable?to gain additional privileges on the host system.
The vulnerability is due to errors when the vulnerable applications validate privilege levels within the Virtual Machine Monitor driver.? The driver filters and processes requests from virtual machines to the underlying system hardware.? Malformed requests that are processed by the driver may be interpreted as having a higher security context, allowing a local attacker to take privileged actions within the virtual operating system.
A local attacker could exploit this vulnerability by running a program that is designed to issue a malicious request to the vulnerable application.? As a result, the attacker could perform actions with administrative privileges, possibly resulting in the complete compromise of the virtual machine.
Administrators are advised to apply the available software updates.
Administrators are advised to restrict system access to trusted users.
Administrators are advised to monitor critical systems.
Microsoft customers can obtain updates directly by using the links in the security bulletin. These updates are also distributed by Windows automatic update features and available on the Windows Update website. Microsoft Windows Server Update Services (WSUS), Systems Management Server, and System Center Configuration Manager can assist administrators in deploying software updates.
Version 1, July 14, 2009, 2:13 PM: Microsoft Virtual PC and Virtual Server contain a vulnerability that could allow a local attacker to assume control over a virtual system. Updates are available.
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.