Machine Emulation and a Microsoft Security Response

Last fall, Microsoft revealed that its Solutions and Technical Sales Group was using VMware's virtual machine (VM) software as a tool for the company's technical sales representatives to demonstrate the latest Microsoft products. Vmware (see the first URL below), like its main competitor Connectix (see the second URL below), makes VM software that lets you run another operating environment in a window (or full screen) under Windows. Since the VM software announcement, I've seen Microsoft use virtual machines to create test domains and other similar scenarios, where collecting a number of physical machines would be impractical. If you've never looked into VM software, you might want to consider its many benefits.

I've tested and used VMware's VM software but I'm currently a Connectix customer because its Virtual PC product runs on both the Macintosh and Windows OSs, letting me move virtual machines between those environments. I use VM software primarily for my reviews on the SuperSite for Windows (see the third URL below) because it lets me easily document Windows-based product boot and installation processes (see the fourth URL below), which are otherwise impossible to graphically capture. And the performance of VM software has improved over the years to the point where, on Windows especially, you can achieve impressive response times on modern laptop and desktop hardware, provided you have enough RAM. This capability lets you take a test environment on the road, which is a pretty powerful solution.

To explain how customers are using VM software, I spoke recently with David Atlas, vice president of Enterprise Products at Connectix. Atlas told me that Virtual PC got its start in the Macintosh market because of the need to achieve interoperability with Windows applications (not coincidentally, VMware got its start in the Linux market for the same basic reason). Today, Connectix Virtual PC for Windows and VMware Workstation let end-users, administrators, and developers run any x86-based OS—including every Windows version, Linux, Solaris, and other UNIX-type environments—under Windows, either in an application window or full screen. "It's a great solution for companies that have moved forward to Windows XP, but need compatibility with legacy applications," Atlas said, "or accounts with parallel infrastructures. Some of our customers are banks with an OS/2 application base, but they need to run Windows desktops, and they don't want workers to have two different PCs."

Many other reasons exist to consider using VM software. In addition to niche-application support or desktop consolidation, virtual machines are a perfect solution in customer-support scenarios, where the number of possible configurations your customers might have would otherwise be daunting. Call centers, testing environments, software developers, and even Web developers that need to test sites on various browsers can benefit from VM software. "You don't need to dedicate one PC to one OS," Atlas told me. "Instead, you can create a virtual space that is basically a file in the host OS." And you can copy that file to other PCs to deploy multiple virtual machines as quickly as you copy a file. I've moved virtual machines between Windows and Mac OS X, which lets me run XP in a window under OS X if I choose to take my Apple iBook on business trips, for example.

Another scenario in which you might try using VM software is when you want to deploy a new Windows version or implement Active Directory (AD) or some other difficult technology. You can test your deployment on virtual machines first to see how various options affect deployment. I recently used VM software to implement an entire Windows .NET Server (Win.NET Server) Release Candidate 1 (RC1) domain because the hardware requirements of dedicating individual PCs to individual servers would have been prohibitively time-consuming and expensive. And the virtual machines interact seamlessly with physical machines on the network.

Just a few years ago, virtual machines were niche applications—due as much to the immaturity of the products as to performance concerns with the underlying hardware. But today, virtual machines are an excellent solution in a variety of situations. If you haven't considered such a solution, now might be the time: VMware is offering a free 30-day trial version of VMware Workstation 3.1, and Connectix has a similar 45-day trial for Virtual PC 4.3 for Windows.

Microsoft Responds: Shatter Attack Is Indeed an Issue
Last week, I discussed a Win32 API security vulnerability and my amazement that Microsoft didn't have a better response. The company did get back to me, however, last weekend.

"Microsoft has thoroughly investigated the recently published whitepaper detailing a type of attack the author has named 'shatter attacks,'" a company representative told me. "The report is correct in its description of the effect of the attack in the cases it cites. It would indeed be possible for an unprivileged user to gain control of a Windows system—though it's important to note that the attacker would only gain privileges on the local machine, not the domain, and only if he could log onto the machine interactively. However, the paper is mistaken in its description of the cause. The attack is not made possible by an architectural flaw. The problem actually lies in how particular software services have been written. In each case the report cites, highly privileged services have been allowed to run in the same interactive desktop as low privileged services. This mixing of services is the flaw. The developers of these services neglected to follow well-documented best practices by building their software to run with inappropriately high privileges (see the fifth URL below). A small number of our own services contain the error as well, and we are developing patches for these services and will deliver them shortly. No changes to the Windows architecture are necessary."

Chris Paget, the developer who discovered the flaw, also reported to me over the weekend that the response he was getting from Microsoft had suddenly changed dramatically. Paget's contact at the company, "Dave," now says that Microsoft is taking the following steps:

  • Working on patches for the specific flaws that Paget has exploited
  • Preparing a page on the Microsoft Web site with information about the attacks
  • Creating ways to make these flaws more difficult to exploit, one of which might be included in Windows XP Service Pack 1 (SP1), which Microsoft just finalized.

So Microsoft is finally showing the level of respect I feel is appropriate for both Paget and the flaws themselves. As the company representative told me last week, Microsoft prefers to fix security problems before admitting to them publicly, for fairly obvious reasons. However, in this case, the company might have been more upfront when confronted with the problem. The simple explanation I got late last week would have done much to quell my—and probably your—fears about this issue.

Links

VMWare Workstation

Connectix Virtual PC

SuperSite for Windows

Example boot screen

INFO: Security, Services and the Interactive Desktop

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish