In the space of a given year, untold thousands of vulnerabilities are found in operating systems, applications and plug-ins. In many cases, the affected vendors fix the flaws, either with a patch, a workaround or some other mitigation. But there’s also a huge population of security bugs that vendors never fix because they’re deemed unexploitable, an assumption that may be turning into a serious mistake for software makers.
Microsoft made such a call earlier this year, after researchers at Core Security informed the company that they had found a vulnerability in the Microsoft Virtual PC software. The flaw, which affected the virtual machine monitor (VMM) in Virtual PC, could enable an attacker to use applications running in user-space on a guest OS to access portions of the Virtual PC memory that should be inaccessible to those applications. This gives the attacker the ability to bypass anti-exploitation technologies in the underlying operating system and exploit flaws in the OS that otherwise would not be exploitable.
This problem was especially thorny for Microsoft because Virtual PC allows Windows 7 users to run applications designed for older Windows versions in a virtualized environment on their Windows 7 machines. This functionality has helped the deployment of Windows 7 in enterprise environments by making more legacy apps viable.
But Microsoft’s security team said that the Virtual PC problem was not actually a vulnerability and the company hasn’t released a fix for it.
“The functionality that Core calls out is not an actual vulnerability
per se. Instead, they are describing a way for an attacker to more
easily exploit security vulnerabilities that must already be present on
the system. It’s a subtle point, but one that folks should really
understand. The protection mechanisms that are present in the Windows
kernel are rendered less effective inside of a virtual machine as
opposed to a physical machine. There is no vulnerability introduced,
just a loss of certain security protection mechanisms,” Microsoft’s Paul Cooke wrote in a blog post at the time.
Software companies large and small make these kinds of judgments on a daily basis during both the development process and the life span of a deployed product. The mere presence of a bug or vulnerability in an application doesn’t mean that an attacker could necessarily use the flaw to compromise a system running the software. Plenty of bugs just cause the software to act flaky or become unstable or hang without offering an attacker any inroads into the machine.
So fixing these problems isn’t always a top priority for software makers, especially if they’re on tight deadlines or strict budgets. And there’s always the compatibility problem to take into account: If a patch breaks some other service or feature in the application, then it may just infuriate users. So maybe all of that customer aggravation isn’t worth it.
The difference in this case, experts say, is that the Virtual PC vulnerability is the symptom of a larger problem lurking beneath the surface: assuming that protections such as ASLR, DEP and SafeSEH will always be around to save us.
“We’re less worried about this particular vulnerability than we are
about the now-exposed (incorrect) assumption that various security
mechanisms will always be in place. It’s obvious that a complete
re-calibration of exploit potential for uncategorized bugs will become
necessary if vulnerabilities like the one described here remain in our
fielded systems. Not so good for Windows 7,” Gary McGraw of Cigital and Ivan Arce of Core Security wrote in an analysis of the Virtual PC situation for InformIT.
“In our view, design and architecture decisions made for Virtual PC
completely invalidate some basic assumptions about processes in modern
Windows operating systems. Like falling dominoes, this in turn
invalidates almost all anti-exploit mechanisms that Microsoft has built
into their OS over the past decade, which then topples over and turns an
entire class of bugs deemed un-exploitable on non-virtualized systems
into potential vulnerabilities on virtualized systems. Backwards time
warp and a table full of fallen dominoes,” they wrote.
This may seem an isolated, extreme case, but there have been other examples in the last few months of the same kind of assumptions being ground to pieces under the wheels of logic and ingenuity. After the disclosure of the high-profile attack on Google and other big companies last fall, word quickly leaked out that the flaw used to compromise the search giant was an unpatched problem in Internet Explorer. Several experts said the problem couldn’t be exploited on IE 8 on Windows 7 because of the memory protections that Microsoft had added.
Within a few days, that was proven false as researcher Dino Dai Zovi, followed by others, used the same exploit on a Windows 7 machine running IE 8, a technique he demonstrated live at the RSA Conference in March. The point, Dai Zovi and others maintain, is that exploit mitigations are just that: mitigations.
“Attack mitigation takes the universe of exploit techniques and narrows
it down,” Dai Zovi said during his RSA talk.”But preventing the introduction of malicious code
isn’t enough to prevent malicious computations.”
That’s a point that’s becoming ever clearer.
“Microsoft claims that the Virtual PC problem ‘isn’t a vulnerability per
se‘ because the problem described only affects “security-in-depth”
mechanisms and attackers would need to find and exploit an actual
implementation bug to leverage it. Even if Microsoft is right on that
count (which we don’t think they are), they are ignoring the bigger
issue of assumptions. Bugs previously deemed non-exploitable for
anything other than crashing systems are now potentially exploitable
under a virtualized OS. Because of the way bugs are slated for
mitigation in the real world, a majority of those bugs remain unpatched —
a problem of prioritization and the enormity of the bug pile in
applications,” McGraw and Arce conclude.