Back to Top

Thursday, August 02, 2007

Vulnerabilities and hype

Take some vulnerabilities, don't investigate the conditions which are needed to exploit them, and you got a good old fashioned security hype.

The gist of it: there are some flaws in the ActiveX controls VMWare installs. The possible attack scenario for these vulnerabilities looks like this:

  1. The user has VMWare (or VMWare Disk Mounter for the first two vulnerabilities!_ installed
  2. The user use Internet Explorer in the host machine to visit a malicious website
  3. The user's computer gets exploited

These vulnerabilities have nothing to do with a program being able to escape from the guest to the host (as many articles suggested).

Also, if you are going to link to a paper discussing serious flaws of virtualization products, at least link to Peter Ferrie's whitepaper or the Google whitepaper (warning, PDF!). I do not wish to belittle the research done by Ed Skoudis, I consider the ideas presented in their paper too high level and only of limited effectiveness. It is only the first step in the VM-detection - VM-detection-detection race and only effective because the attackers didn't need to come up with more sophisticated ways.

In conclusion: VM are still the safest way to study malware, however (as with everything) one needs to use a layered security approach (so at least VM's on a separate, non-public network). Also, there is the possibility to use private-builds of the open source virtual machines (yes, open source is great!) by security researchers, effectively turning the advantage of the malware authors (the fact that defensive software is publicly available and they can study it and modify their code until it's not detected by the current version) against them (in the sense that at this moment the malware is publicly available and the researcher can tweak her VM until it's not detected).

Update: now here is a vulnerability with real concerns: VMware Workstation Shared Folders Directory Traversal Vulnerability (via the Pauldotcom blog). However the solution is still relatively simple: disable shared folders (you should disable all convenience features - like shared folders, networking or VMWare Tools - when working with malware to minimize the attack surface!)

Update 2: see the posting on Security Ripcord which contains a response from Ed Skoudis in the comments that reveals some additional information.


Post a Comment

You can use some HTML tags, such as <b>, <i>, <a>. Comments are moderated, so there will be a delay until the comment appears. However if you comment, I follow.