Microsoft Security Bulletin MS07-049

Microsoft Security Bulletin MS07-049

  • Comments 11

So this came out while I was on holiday - but I just thought I would pause to highlight this:

Microsoft Security Bulletin MS07-049 - Important

Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (937986)

Executive Summary

This important security update resolves one privately reported vulnerability. This is an elevation of privilege vulnerability. The vulnerability in Microsoft Virtual PC and Microsoft Virtual Server could allow a guest operating system user to run code on the host or another guest operating systems. Only guest operating system users who are granted administrative permissions to the guest operating system would be able to exploit this vulnerability. Guest operating system users not granted administrative permissions to the guest operating system would be unable to exploit this vulnerability.

Some key point here are:

Cheers,
Ben

Leave a Comment
  • Please add 6 and 3 and type the answer here:
  • Post
  • > You can download this fix from

    > http://www.microsoft.com/technet/security/Bulletin/MS07-049.mspx

    I cannot find download links in that article.  The things I can find include this statement:

    *  Security updates are available from

    *  Microsoft Update, Windows Update, and Office

    *  Update

    and information about files and registry keys.

    By looking at properties of those files, contents of those registry keys, and the control panel applet for add/remove programs, it seems pretty well confirmed that I didn't get this update.  Just now I tried Windows Update again and it didn't offer this update.

    I seem to have Virtual Server 2005 R2 without SP1, and Virtual PC 2004 SP1, so I need this update twice, right?  But Windows Update isn't offering it.

    (By now it's probably easier to install newer products instead.  Also the newer products are priced right for bug fixes so I can't really complain, but I'll still report.)

  • security update comes regularly, but too many

  • I'm using VPC 2004 SP1 on Windows 2000 SP4 and this update is not detected by Microsoft Update or MBSA 2.0.1.

    I have checked virtual pc.exe version, Installer registry keys and Microsoft Update history none of which have any sign that I'm patched.

  • Norman -

    Click on the links in the "Affected Software" table.

    Adam -

    Yes, you have to download this manually.

    Cheers,

    Ben

  • > Click on the links in the "Affected Software" table.

    You're right.  The left-hand column is a list of names of products, and the links don't point to the home pages of those products, the links point to patches.  Now that's stealth.  Security through obscurity.  But you're right, it's there, for anyone who gets told where to look for it.  Thank you.

  • Oops.  I downloaded this:

    http://www.microsoft.com/downloads/details.aspx?displaylang=ja&FamilyID=2bda2b8b-9c1c-4bf8-9a65-491092276e7a

    It gives this error message:

    ---------------------------

    Virtual PC 2004 SP1

    ---------------------------

    指定されたファイルが見つかりません。

    Rough translation:  The specified file is not found.

    Virtual PC's version information says 5.3.582.45, Copyright (C) 2003 Microsoft Corporation.

    The Control Panel applet to add and remove programs says that Microsoft Virtual PC 2004 Service Pack 1 is installed, last used on 2004/10/14.  Teehee.  I used it about 30 seconds ago in order to get the information that I typed into the above paragraph.

  • Have VPC 2004 SP1 from MSDN installed.  This required update was not detected by microsoft update or msba 2.01 or by the standalone enterprise scan tool.  Downloaded update from MS manually and attempted install numerous times all of which failed with "file not found" or "there are no more files" error messages.  I'm stumped.

  • OK, I understand it now.

    Numerous times, Microsoft has told me that MSDN-English versions of Microsoft products differ vastly from the versions that are distributed in North America, therefore I should pay a support fee to Microsoft Japan in order to report a bug in an English-language page in http://msdn.microsoft.com/library or an English language product.

    I have not met anyone outside of Microsoft who believed that MSDN-English versions of Microsoft products differ vastly from the versions that are distributed in North America.

    But now, I understand.  Now I believe it.

    For Eric Berger, the MSDN-English version of Virtual PC 2004 SP1 differs vastly from the version distributed in North America, so Mr. Berger should pay a support fee to Microsoft Japan.  For me, the MSDN-Japanese version of Virtual PC 2004 SP1 differs vastly from the version distributed in Japan, so I should pay a support fee to Microsoft North America.  (Had I been using the MSDN-English version then I should pay a support fee to Microsoft Japan, so here I'm drawing some inferences from Microsoft's logic.)

    And the security patch knows it.

    I don't think this is Mr. Armstrong's fault, but Microsoft can still find ways to amaze.

  • My issue is a technical problem updating software, not a reflection of my views on MS software licensing.  I'm not interested in a licensing flame war, I'm only seeking technical assistance.  'Nuff said.

  • In this entire thread, the only mention of licensing that I see is in Eric Berger's posting Wednesday, September 05, 2007 8:22 AM.

    My problem and Mr. Berger's problem are the same at one level (MSDN versions really do differ from ordinary distributed versions and now I believe Microsoft's statement about it).  Our problems are complementary at a different level (different language versions so Microsoft's demands for oddly directed support incidents would cross the ocean in opposite directions).

    Anyway we both see that technically MSDN versions really are different from ordinary distributed versions.

    This is bad news for developers, because for example, testing that our program works in MSDN-English XP gives us no idea of whether our program works in ordinary English XP.

  • I have a question which is related to security, but not really related to this specific post. I was wondering if someone could answer this question.

    Other than when specific threats such as this emerge, why does ISA Server Best Practices Analyzer issue a warning if it detects that it is running under Virtual Server? I mean, if the ISA Server VM has its own network interface, and that only has Virtual Machine Network Services enabled (no TCP/IP, etc.), what is the issue which msut obviously be escaping me?

    Thank you!

Page 1 of 1 (11 items)