
VM escape vulnerabilities patched in VirtualBox - emptysands
https://www.techrepublic.com/article/10-new-vm-escape-vulnerabilities-discovered-in-virtualbox/
======
mirimir
The title should really say that they've been patched.

Edit: The first sentence:

> Oracle has released patches for ten vulnerabilities in VirtualBox which
> allow attackers to break out of guest operating systems and attack the host
> operating system that VirtualBox runs on.

And at [http://www.oracle.com/technetwork/security-
advisory/cpujan20...](http://www.oracle.com/technetwork/security-
advisory/cpujan2018-3236628.html#AppendixOVIR)

> Supported Versions Affected ... Prior to 5.1.32, Prior to 5.2.6

The current version being 5.2.6

[https://www.virtualbox.org/wiki/Downloads](https://www.virtualbox.org/wiki/Downloads)

~~~
dang
OK, we s/discovered/patched/ the title above. Since something can't be patched
before it is discovered this seems strictly more informative.

~~~
mirimir
Thanks. The article didn't say when the vulnerabilities were discovered.
Depending who discovered them, it could have been months or more. I brought it
up to clarify that these aren't unpatched vulnerabilities.

------
krylon
I am definitely not complaining, but I wonder why Oracle continues work on
VirtualBox at all?

When they acquired Sun, they seemed in a hurry to kill off all the other open
source projects Sun had been running.

Do they use it as the basis for their cloud-infrastructure[1] or what? I do
not see how VirtualBox generates any revenue for Oracle, and they have a
reputation for being very ... focussed when it comes to revenue.

[1] That seems pretty unlikely

~~~
userbinator
They have a closed-source "extension pack" with a bunch of quite useful and
even necessary features (e.g. USB 2.0) so that could be their revenue source,
but looking around it seems that others have been rather unsuccessful at
actually trying to pay for it --- the response Oracle has given them is "you
can use and redistribute it for free".

~~~
krylon
Huh. Next thing you know Microsoft is going to host all Windows and Office
development on public github repos, IBM begins lobbying against software
patents, and GNU/Hurd reaches 1.0... These are interesting times we live in
for sure.

~~~
TheSpiceIsLife
Tangential related, didn't I see recently that IBM has a patent on patent
trolling?

~~~
pgeorgi
Business methods and legal theories are exempt from patents, but OTOH, so was
software once upon a time.

~~~
SAI_Peregrinus
Business method patents are certainly a thing.

------
snowpanda
What is the alternative to using Virtualbox besides buying a separate
computer? I'm assuming there's more vulnerabilities to be found.

~~~
krylon
On Linux, qemu/kvm works well enough for most purposes, on FreeBSD you have
bhyve. OpenBSD's vmm is a thing, but I do not know if it can host other
systems than OpenBSD, yet.

On Windows, there is Hyper-V. I have only very little experience with it, but
in my short time, I did not encounter anything I would like to complain about.
I am not sure, however, if it comes with the client editions of Windows.
Microsoft Virtual PC still exists, too.

Xen is also a thing - run Dom0 as your desktop system, and run the VMs in the
background.

None of this is perfect, but if you need them, there are alternatives.

~~~
bdcravens
> Microsoft Virtual PC still exists

Not updated in almost 10 years, not supported on Windows 8 or 10.

~~~
Splines
I'm pretty sure the Virtual PC product went on to become Hyper-V.

~~~
emptysands
Some of the Xen technology went into Hyper-V. Microsoft had a partnership with
the Cambridge labs.

------
omgbananas
Do any of these affect the host when it's Linux?

I run several VMs at the same time, occasionally one will freeze. I think it's
just the video/display that freezes while the browser/whatever in the guest VM
still operates normally.

~~~
emptysands
[https://blogs.securiteam.com/index.php/archives/3649](https://blogs.securiteam.com/index.php/archives/3649)

"The vulnerabilities found in the core graphics framework (VBVA subcomponent)
and affect all host operating systems."

