Microsoft Security Bulletin MS04-005
Vulnerability in Virtual PC for Mac could lead to privilege elevation (835150)
Issued: February 10, 2004
Who should read this document: Customers who are using Microsoft® Virtual PC for Mac
Impact of vulnerability: Elevation of Privilege
Maximum Severity Rating: Important
Recommendation: Customers should install this security update at the earliest opportunity
Security Update Replacement: None
Tested Software and Security Update Download Locations:
Microsoft Virtual PC for Mac version 6.0 - Download the update
Microsoft Virtual PC for Mac version 6.01 - Download the update
Microsoft Virtual PC for Mac version 6.02 - Download the update
Microsoft Virtual PC for Mac version 6.1 - Download the update
Non Affected Software:
The software listed above has been tested to determine if the versions are affected. Other versions either no longer include security patch support or may not be affected. Please review the Microsoft Support Lifecycle Web site to determine the support lifecycle for your product and version.
A security vulnerability exists in Microsoft Virtual PC for Mac. The vulnerability exists because of the method by which Virtual PC for Mac creates a temporary file when you run Virtual PC for Mac. An attacker could exploit this vulnerability by inserting malicious code into the file which could cause the code to be run with system privileges. This could give the attacker complete control over the system.
To exploit this vulnerability, an attacker would have to already have a valid logon account on the local system, or the attacker would already have to have access to a valid logon account.
An attacker must have valid logon credentials to exploit the vulnerability. The vulnerability could not be exploited remotely without a valid user account.
Systems that are secured by using best practices are at reduced risk from this vulnerability. Standard best practices recommend only allowing trusted users to log on to systems interactively.
Microsoft Virtual PC for the Macintosh (all supported versions) Important
The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2004-0115
Frequently Asked Questions
What is the scope of the vulnerability?
This is a privilege elevation vulnerability. An attacker who successfully exploited this vulnerability on the Macintosh platform could gain complete control over the system. This would give the attacker the ability to take any action that they want on a system such as adding, deleting, or modifying data. It could also give the attacker the ability to delete or to create user accounts with root access.
The vulnerability could only be exploited by an attacker who has credentials to log on to the computer interactively. Since restricted users are not normally permitted to logon to mission critical servers this vulnerability primarily of concern on workstations or other multi-user computers.
What causes the vulnerability?
A vulnerability results because of the method by which Virtual PC for Mac uses a specific temporary file during execution. The method used to treat the log file does not correctly validate the contents within the file.
What is Virtual PC for Mac?
Microsoft Virtual PC for Mac version 6.1 allows users to run Microsoft Windows® applications on the Macintosh platform Virtual PC for Mac version 6.1 marks the first release of the product since Microsoft acquired it from Connectix in February, 2003.
Can I install the update if I am running a previous version of Virtual PC for Mac?
Yes - this update will bring the version of Virtual PC for Mac to version 6.1.1. It is supported for Virtual PC 6.0, 6.01, 6.02, and 6.1. Updating to Virtual PC for Mac version 6.1.1 will help protect users from this vulnerability as well as enable users of Connectix Virtual PC for Mac to transition product support to Microsoft.
What is wrong with the way that Microsoft Virtual PC for Mac handles temporary files?
The vulnerability lies in the way that a temporary file is created when Microsoft Virtual PC is running. It could be possible for an attacker to insert code in such a way that Virtual PC will run the code at system level privileges.
Why does this pose a security vulnerability?
The vulnerability could provide a way for a process to cause Virtual PC to run arbitrary code on the Macintosh.
What might an attacker use the vulnerability to do?
To exploit this vulnerability, an attacker would have to start Virtual PC for Mac and then run a specially-designed program that could exploit the vulnerability by accessing the temporary file in a specific way. This vulnerability could then allow an attacker to gain complete control over the system.
Who could exploit the vulnerability?
A user with a valid user account on the system could seek to exploit the vulnerability.
Which systems are primarily at risk from the vulnerability?
Workstations and multi-user systems are primarily at risk. Servers are only at risk if users who do not have sufficient administrative credentials are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing these types of credentials.
Could this vulnerability be anonymously exploited over the Internet?
No. The attacker must be able to log on to the specific system that they want to attack. The attacker cannot load and run a malicious program remotely without already having access to an account on the remote computer.
What does the update do?
The update addresses the vulnerability by changing the way that Virtual PC for Mac uses the temporary file.
Security Update Information
Installation Platforms and Prerequisites:
For information about the specific security update for your platform, click the appropriate link:
Virtual PC for the Macintosh (all supported versions)
This security update requires Virtual PC for Mac Versions 6.0, 6.01, 6.02, or 6.1 to be installed.
This update does not require you to restart your computer.
This update cannot be uninstalled.
Verifying Update Installation
To verify that a security update is installed on an affected system, please perform the following steps:
Navigate to the Application Binary (Applications/Virtual PC).
Click on the application
Select File then Get Info
If the Version number reads 6.1.1, the update has been successfully installed.
Microsoft thanks the following for working with us to help protect customers:
George Gal of @stake for reporting the issue in MS04-005.
Obtaining other security updates:
Updates for other security issues are available from the following locations:
Security updates are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
Additional Macintosh downloads can be found at the Microsoft Mactopia website
Updates for consumer platforms are available from the WindowsUpdate Web site.
Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY for customers in the U.S. and Canada. There is no charge for support calls that are associated with security updates.
International customers can get support from their local Microsoft subsidiaries. There is no charge for support associated with security updates. Information on how to contact Microsoft support is available at the International Support Web Site.
Security Resources for Windows:
The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
V1.0 February 10, 2004: Bulletin published