Microsoft Announces Critical Security Flaw in Hyper-V

When Microsoft announced the latest round of security fixes, one very important flaw was announced.  The flaw exists in Hyper-V and is rated as critical.  In Microsoft's words, "The vulnerabilities could allow remote code execution in a host context if a specially crafted application is run by an authenticated and privileged user on a guest virtual machine hosted by Hyper-V. "  Worse, to exploit the vulnerability, "An attacker must have valid logon credentials for a guest virtual machine to exploit this vulnerability."  At the time of Microsoft's announcement, no known mitigating factors existed and no known workarounds were published.  There is a patch available that requires a reboot.  The vulnerability is in Windows Server 2008, Windows Server 2008 R2, Windows 8 and Windows Server 2012, and Windows 8.1 and Windows Server 2012 R2.

So let's look at that for a moment.  A host OS could be compromised by a guest.  This is definitely worst case scenario territory for anyone who hosts a virtual infrastructure.  If you run Hyper-V, you should look to patch immediately as that seems to be the only way to correct the issue.

What surprises, and disappoints me, is the lack of press this flaw has received.   It's possible that this flaw could cause a lot of disruption.  In IT, we often talk about our ability to host Coke and Pepsi on the same server because the hypervisor is a protective layer.  This vulnerability strikes at the heart of that belief.  If the hypervisor can be hacked by a compromised guest virtual machine, then the whole idea of hosting multiple virtual machines where each is insulated from the other takes  a credibility hit.

To their credit, Microsoft has acted quickly and released a fix.  Again, I urge anyone with the product to deploy the patch quickly.  No product is perfect and every hypervisor vendor has issued security alerts.

Microsoft's official post is at this link https://technet.microsoft.com/library/security/MS15-068

Applicable CVE numbers are CVE-2015-2361, and CVE-2015-2362