Core Security, which said that it reported the vulnerability to Microsoft seven months ago, warns that it could allow attackers to bypass the Data Execution Prevention protection mechanism within later versions of Microsoft operating systems. Address Space Layout Randomization, which shuffles the memory used by Microsoft's code to make it harder for attackers to implement buffer overflows, is also neutralized by the attack, Core Security said.
"A vulnerability found in the memory management of the Virtual Machine Monitor makes memory pages mapped above the 2GB available with read or read/write access to user-space programs running in a guest operating system," said Core Security in an advisory. Safe and Structured Error Handling (SafeSEH), another security measure employed by Microsoft, is also compromised by the vulnerability, it warned.
The problem is that these measures, when disabled in guest operating systems, open them up to a potentially large number of security exploits that might otherwise have been stopped. The flaw in the base hypervisor could therefore render huge numbers of virtual machines vulnerable to attack. "In particular, an application running on Windows 7 in XP Mode may be exploitable while the same application running directly on a Windows XP SP3 system is not," it said.
Microsoft's Hyper-V technology is not affected by the bug, Core Security said. However, it advised that for the time being, until Microsoft fixes the problem in future updates, customers run all mission-critical Windows applications on non-virtualized systems, or to use virtualization technologies that are not affected by the bug.