Microsoft Provides Fix For VirtualPC 6 Vulnerability

Microsoft has posted an update that fixes a vulnerability in VirtualPC 6. The vulnerability can only be exploited locally and under specific circumstances, but nonetheless, Microsoft recommends updating the software. From Microsoft:

What causes the vulnerability?
A vulnerability results because of the method by which Virtual PC for Mac uses a specific temporary file during execution. The method used to treat the log file does not correctly validate the contents within the file.

[...]

What is wrong with the way that Microsoft Virtual PC for Mac handles temporary files?
The vulnerability lies in the way that a temporary file is created when Microsoft Virtual PC is running. It could be possible for an attacker to insert code in such a way that Virtual PC will run the code at system level privileges.

Why does this pose a security vulnerability?
The vulnerability could provide a way for a process to cause Virtual PC to run arbitrary code on the Macintosh.

What might an attacker use the vulnerability to do?
To exploit this vulnerability, an attacker would have to start Virtual PC for Mac and then run a specially-designed program that could exploit the vulnerability by accessing the temporary file in a specific way. This vulnerability could then allow an attacker to gain complete control over the system.

You can get more information and download links at Microsoftis TechNet site.

No Comments

Log-in to comment