Microsoft yet to fix six month old Virtual PC flaw
A US security firm has claimed it reported a flaw in Microsoft’s Virtual PC hypervisor software back in August 2009, but the software giant is yet to act on it.
Microsoft has yet to fix a serious security a flaw in its Virtual PC hypervisor that was reported to it last year, according to researchers.
Core Security Technologies claimed to have discovered a vulnerability in the software that could lead to system infiltrations and reported it to Microsoft back in August 2009.
Although the software giant claimed it would address the problem in future updates, it appears to have been left to fester.
Today the US security firm has released a statement saying the affected versions of the product contained a vulnerability allowing attackers to bypass security mechanisms in place on the Windows operating system, enabling them to take over the machine.
There is also a risk that a certain type of common software bug could also be exploited through this opening.
Affected versions include Microsoft Virtual PC 2007, Virtual PC 2007 SP1, Windows Virtual PC and Microsoft Virtual Server 2005. On Windows 7 the XP Mode feature is also affected however Hyper-V has been said to be secure.
"Virtualisation is an area that offers tremendous promise to the entire computing world, but it must be remembered that the technologies that enable this process may also introduce potential risks that previously didn't exist," said Ivan Arce, chief technology officer of Core Security Technologies, in a statement.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
"This particular case provides a good example of how mechanisms designed to improve an operating system's security over many years can eventually become ineffective when some of the basic underlying aspects of their operation are changed by virtualisation technology."
The security company has advised users to run mission critical Windows applications on alternative virtualisation technologies or raw hardware, else ensure Virtual PC technologies are kept at the highest patch level possible and closely monitored.
We contacted Microsoft for comment on the flaw but it had not returned our request at the time of publication.
Jennifer Scott is a former freelance journalist and currently political reporter for Sky News. She has a varied writing history, having started her career at Dennis Publishing, working in various roles across its business technology titles, including ITPro. Jennifer has specialised in a number of areas over the years and has produced a wealth of content for ITPro, focusing largely on data storage, networking, cloud computing, and telecommunications.
Most recently Jennifer has turned her skills to the political sphere and broadcast journalism, where she has worked for the BBC as a political reporter, before moving to Sky News.