Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Microsoft Businesses OS X Operating Systems Apple

Microsoft Brings Security Holes to the Mac 76

eMilkshake writes "There is an MS security bulletin that reads, in part, 'A security vulnerability exists ... because of the method by which Virtual PC for Mac creates a temporary file when you run Virtual PC for Mac. An attacker could exploit this vulnerability by inserting malicious code into the file which could cause the code to be run with system privileges. This could give the attacker complete control over the system.' Guess VirtualPC really brings the Windows experience to the Mac!" An update is available from the Microsoft site. On the flip side: sking writes "Australian IT reports on Microsoft's continuing development for the Mac: 'I just want to thank Apple for providing all those great innovative technologies that let us do what we love best: creating great applications,' gushed head of Microsoft's Macintosh Business Unit Roz Ho."
This discussion has been archived. No new comments can be posted.

Microsoft Brings Security Holes to the Mac

Comments Filter:
  • by Anonymous Coward on Wednesday February 11, 2004 @03:39PM (#8252617)
    Unit Roz Ho? What is this, Frank Zappa's lost daughter?
    • Re:Unit Roz Ho? (Score:2, Informative)

      by MinutiaeMan ( 681498 )
      Um, as I understand it, all Microsoft did with VirtualPC 6 was re-brand it as a MS product and increase the version number by .1. Therefore, any and all bugs in any release before the upcoming VPC 7 are really Connectix's fault, not Microsoft.

      (Yeah, I wish I could blame these bugs on M$, too... but it's not really fair in this case.)
      • Yeah, I wish I could blame these bugs on M$, too... but it's not really fair in this case.

        I don't agree.

        Once a company takes ownership and responsibility for another product, they are responsible for the auditing of that product.

        With the untold amounts of MS money, surely they can audit the product. I seem to remember they were trying to improve it's OSX compatibility or something like that, so I think they have done a little more than just a cosmetic brand and version change.
    • i saw roz ho speak at macworld in SF last month. she totally acted like a puppet on a string, all smiles and never looking at whom she is talking to, always the audience. all kinds of freaky, man...
  • by AtariAmarok ( 451306 ) on Wednesday February 11, 2004 @03:43PM (#8252658)
    Only a matter of time before the Mac virus checker software flags and removes Virtual PC as a trojan.
  • by MarkGriz ( 520778 ) on Wednesday February 11, 2004 @03:46PM (#8252694)
    I, for one, welcome our malicious code inserting overlords.
  • by Elwood P Dowd ( 16933 ) <judgmentalist@gmail.com> on Wednesday February 11, 2004 @03:50PM (#8252742) Journal
    What Microsoft did was bring their huge audience to a security update for Connectix's tiny little program, VirtualPC. How much input do we really think that Microsoft had on this latest release of VirtualPC? Don't you really think that it was probably horked by the same programmers that would have horked it at the previous developer?

    So, someone found the hole. Microsoft released the patch information to every person subscribed to their security lists. That's a lot of weenies. For all we know, if VPC hadn't become an MS product, the vulnerability would still be there, and *no* *one* would have heard about it, including the developers.
  • by G4from128k ( 686170 ) on Wednesday February 11, 2004 @03:57PM (#8252804)
    I've had a couple of occassions where Soft Windows decided it needed to launch in response to some web feature or a PC file. I've never had an infection via this route, but it seems that it is possible that double-clicking on a malware .exe file on a Macintosh could lead the Mac to attempt to invoke a Windows emulator and thus infect the emulator. Perhaps this is the Mac's way of corrupting and killing the Window's emulator ;)
  • by Spencerian ( 465343 ) on Wednesday February 11, 2004 @04:22PM (#8253121) Homepage Journal
    Virtual PC emulates the hardware of an actual PC, complete with a video card, Ethernet NIC, a P2 processor, sound card, COM ports, and USB. This allows VPC to run practically any OS (except the old BeOS).

    Because of this, folks, VPC has always been subceptible to malware attacks, particularly in Windows. If you can infect a real PC running Windows, then VPC running the same OS configurution is just as vunerable. Running Linux? Yep, you can get rooted if you don't configure it as you would any other box.

    This new security update isn't very special in itself--it's perhaps that MS detected the vunerability better because it has access to the VPC source since they own the product now. A good question is whether the vunerability is in the virtual machine code or something that makes VPC more vunerable only in an environment running Windows.

    The good news is that infections will only compromise the PC environment(s) in use. The Mac that is running VPC cannot be touched as it is effectively an invisible party to the VPC environments, nor can the Mac be used as a carrier as you can with some e-mail worms.

    Not to say that someone might not try to exploit VPC's ability to use USB devices or its networking processes it shares with a Mac, or options such as shared folders (where a Mac folder is shared to Windows as if it were a networked folder).
    • by kinnell ( 607819 ) on Wednesday February 11, 2004 @04:54PM (#8253512)
      The good news is that infections will only compromise the PC environment(s) in use. The Mac that is running VPC cannot be touched as it is effectively an invisible party to the VPC environments

      Are you sure? The alert seems to imply that it can gain root access to the underlying system, not just the VPC environment.

      • Yes, this security problem gives escalated privileges to the user of VPC. But, in general, you can use VPC as a great test for virus infections, security holes, etc. You can save and duplicate a clean setup, beat up on the dupe and replace it with a new dupe. Very handy for testing.
      • While MS might say so, I wonder a single UNIX application such as VPC could cause such a compromise to OS X. The only way I could think of a vunerability being effective is if VPC could relay instructions to OS X, and if OS X has an administrator account running, where a chance exists that root could be activated.

        I think MS wants to be overreactive to the possibilities, rather than underestimate the potential, low as they may be.
    • This vulnerability is on the host OS, and in fact you don't even need to boot the guest OS :)
  • I fail to see... (Score:3, Informative)

    by teamhasnoi ( 554944 ) <teamhasnoi @ y ahoo.com> on Wednesday February 11, 2004 @04:46PM (#8253410) Journal
    any feature that would entice me to upgrade from the last version Connectix kicked out.

    AFAIK, (and IIRC) the first release of VPC from MS contained a spash screen change and made all previous disk images obsolete. You have to convert them to the 'new' MS style, and then they are unreadable by previous versions.

    It has been awhile, but I think that was one of the reasons I stopped upgrading. If MS 'fixes' the BeOS keyboard issue (any keypress freezes the machine), I may reconsider, but beyond that - why should I encourage MS's poor behavior in business and coding?

    VPC under MS is supposed to be faster (21%), but whatever. I don't think the connectix version had this issue. That said, this security issue looks to be rather difficult to implement..so maybe this is a non-issue and FUD.

  • Emulated OS on emulated hardware gets emulated virus. Emulated virus-checker emulates removal.

    Users emulate customer satisfaction - give emulated kudos to emulated customer-centric software company.
  • VPC has a shared folders feature, which allows you to access your entire hard drive as a networked drive in Windows. I usually keep this off anyway, but, if VPC runs as root, could a virus/hacker conceivably infect and delete things outside the VPC drive file using that if it was enabled?
  • That Microsoft ruin the neighbourhood...
  • by pvera ( 250260 ) <pedro.vera@gmail.com> on Thursday February 12, 2004 @08:56AM (#8257359) Homepage Journal
    I program asp from OS X. There are only two things I cannot do with the mac itself:

    1. Manage the SQL Servers we use
    2. Manage the IIS Servers.

    There are ODBC drivers for OSX but they cost a bundle, and there is nothing available to manage IIS from OSX. That leaves me four choices:

    1. Tie up one of our scarce PCs (all our workstations are mac, windows is only used on a couple servers) just to manage IIS and SQL Server. That means spending precious time just keeping the machine patched just to do these two things. Plus it would take desk space (and my mac is a Powerbook, so I am used to have a relatively clean desk).

    2. Walk to the windows servers any time I need to do something. Totally unpractical.

    3. Use Terminal Server, since Microsoft provides a free Remote Desktop client. This works perfectly but it does not allow me to drag and drop between the terminal server session and my desktop.

    4. Use VPC with 2000 Pro or XP Pro. This means I still have to spend a lot of time keeping windows patched properly, and it takes a lot more CPU power than a terminal services session. The only advantage here is I would get drag and drop.

    I tried the VPC route for a while. On a Titanium Powerbook 867 it pretty bearable on Windows 2000 if I reserve 256MB ram for it. On XP Pro it is pretty much unusable unless I give it 384MB or more, which is not acceptable since that gives me 768MB ram for everything else.

    Terminal Server is my only choice now, so instead of drag and drop I am stuck using samba shares, which would only work inside of the firewall and whenever I need to work away from the office I have to use ftp. Clumsy but gets the job done. If I was able to use drag and drop with Terminal Server it would totally rock. Patching the TS itself is not an issue since it is already being done, it would not mean extra work for me.

    I kept VPC for a while rationalizing that I would not always have TS available, but then I realized that was just stupid since the server I would be managing *had* to be online and it is always setup in admin mode (with admin mode you cannot use it as an applications server, so TS is only used to manage the box).

    As it is right now I have no interest in moving along with VPC, and all my peers that have faced the same dilemma agree.
    • 3. Use Terminal Server, since Microsoft provides a free Remote Desktop client. This works perfectly but it does not allow me to drag and drop between the terminal server session and my desktop.

      What about running something like Timbuktu (Mac and Windows clients available) or some flavor of VNC? TB2 (usally) has drag-and-drop between host and client, though it seems to be a bit flaky in the recent versions.

      • Our Netopia router came bundled with Timbuk2 but it was too complicated. As for VNC, I am not done messing with it yet.

        BTW, I forgot to mention something really weird that the remote desktop client has been doing, and as far as I can tell it only happens with Panther, not with Jaguar:

        Sometimes when I am copying text between the remote desktop client (connecting to Windows 2000 Server) and Panther it crashes both the remote desktop client and whatever OS X application I was copying from/to. It has happened
        • Timbuk2 too complicated?
          You must be kidding me....
          been using it for years. It is one of the best and most well written applications for the Mac, always embraces great technology, and easy to learn and use. If you have not checked it out, you owe yourself to.


          --
          "Why of course, the people don't want war. Voice or no voice, the people can always be brought to the bidding of the leaders...All you have to do is tell them that they are being attacked and denounce the pacifists for lack of patriotism and exp
          • If you have been using it for years then there is no way you can visualize my reaction to my first contact with it a year ago.

            The main problem with people that, like me, are switching hats all the time is that anything that takes more than 5 minutes to figure out goes into the mythical "training to-do" list. That is of course the list of all the crap you want to look into whenever you have some breathing room from the hat-switching.

            The other reason it is so easy to just take a look at Timbuk2 and push it
    • If you want to do SQL Server stuff on your Mac without paying a lot...

      This is your friend [macosguru.com]

      Works pretty nicely. I've stopped doing ASP/SQL server stuff now, but when I did... it was good.
  • I've said it before [slashdot.org]. It's coming....

Were there fewer fools, knaves would starve. - Anonymous

Working...