MS09-033: The Virtual PC vulnerability is not a VM breakout issue

MS09-033 fixed a vulnerability in Virtual PC and Virtual Server which involves elevation of privilege. I’d like to use this blog post to clarify what the security impact is of this vulnerability, to help you make an informed decision about how you prioritize the installation of this update. To be clear, we highly recommend that you install the update, but recognize that you may need to prioritize the work of deploying the update against other important work.

Which configurations are at risk?

First of all, if you are using hardware-assisted virtualization this vulnerability does not affect Virtual PC 2007 or Virtual Server 2005. Windows XP compatibility mode in Windows 7 is also not affected. Any installation not using hardware-assisted virtualization is affected. Note that Virtual PC 2004 does not support hardware-assisted virtualization, so it is affected.

What could an attacker do because of this vulnerability?

This vulnerability does not allow an attacker to compromise a host operating system. The vulnerability could allow an attacker who can already run low privileged native code on the guest operating system to execute instructions that are supposed to be reserved for code running in ring 0. This would have no affect on the host operating system. The attacker could, however, achieve code execution within the guest operating system with system privileges, completely compromising the guest operating system.

What are the attack vectors?

It’s also important to note that the attacker must be able to run arbitrary native code on the guest operating system already. There are two main scenarios to consider that would allow this. The first is systems that allow users to log in and run native code programs at low privileges by design. The second is when an attacker convinces a non-malicious user of the system to run the malicious program, possibly through email or a malicious web site.

How can I protect myself?

Install the update from here: MS09-033

We hope that having this additional information about how this vulnerability could be exploited will help you make a more informed decision about how urgently to apply this update.

– Kevin Brown, MSRC Engineering

*Posting is provided “AS IS” with no warranties, and confers no rights.*