New Vulnerabilities Shake Security Complacency


Just when you thought you could assume a certain level of protection--or insulation from threats--from perceivably attack-resistant technology, think again. New discoveries are showing that virtualization and encryption aren't immune to the ills of the Internet.

Researchers at Core Security, a firm specializing in automated penetration testing tools, discovered a flaw in VMware's desktop virtualization applications' feature "shared folders." The feature, enabled by default, enables malicious code or hackers operating in the virtual environment to jump and compromise the host operating system and its attached network. The flaw doesn't exist in the network server or storage applications.

Last week also saw the release of a paper on how to extract keys for software-based encryption applications. What this means is attackers can circumvent the perceivably strong protection afforded by even the most complex algorithms. Hardware-based encryption solutions are unaffected.

Neither of these vulnerabilities is trivial, and neither has been exploited. However, they are shaking the assumption of the security of some technologies. And if anyone is surprised by these revelations, they needed their complacency shaken.

Virtualization was thought to be immune from exploitation since the operating environment is physically separated. Malware researchers use virtualized desktops to sandbox their study of new viruses and worms. And some users believe they're protected from Internet threats because they surf through their virtual bubble. But the reality the VMware shared folders vulnerability shatters their invincibility.

"There is an assumption that using a virtualized operating system, that you're imposing some sort of isolation. That's an assumption when virtualization is adopted and security is discussion. However, it's software, it's not magic and is prone to implementation errors," says Ivan Acre, chief technology officer at Core Security.

The same perception holds true for encryption. First, 40-bit DEC was cracked a few years ago by commodity PCs, rendering the standard virtually useless for commercial users. The 128- and 256-bit Advanced Encryption Algorithm was supposed to resolve encryption needs for the foreseeable future. The general assumption is that encryption--especially algorithms that use large keys--would take thousands of years to crack with a brute-force attack.

The discovery that reducing the temperature of DRAM chips can reveal encryption keys, allow hackers to retrieve the keys for software-based encryption. This means that everything from file-based encryption to VPN tunnels can be compromised without having to crack the algorithm.

"This really isn't a surprise," says Steven Sprague, CEO of Wave Systems. "It's software security. Anytime you put secrets into RAM, you can pause the machine and get the secrets."

Sprague is right. None of this should be a surprise. Security gurus often preach that there is no such thing as absolute security and nothing is invincible. Nevertheless, practitioners--and vendors--often promote technologies such as encryption and virtualization is "unbreakable" or more resistant to attacks than more conventional technologies. These new vulnerabilities should shake our confidence and remind us to never get complacent.