Return to

Chinese security specialists p0wn Windows host running VMWare fron Windows guest



Using a javascript bug in Windows Edge Browser, then a kernel bug in Windows 10, a Chinese Security Specialist team has been able to escape the Windows 10 guest running in a VMWare Workstation hypervisor on a Windows 10 host system, and take over the host operating system, merely by visiting a prepared website...

It doesn't work on a linux host, nor on the linux-based bare-metal hypervisors VMWare offers.

On the one hand, it's reassuring that security specialists outside of the US understand Windows better than Microsoft itself apparently 5but that has been proven in Europe in the late 1990's already when Microsoft didn't even know of the existence of the NSA keys they just took over from OS/2, and they still haven't been able to fix these), but on the other hand, it's once again flabbergasting with what degree of nonchalance Microsoft approaches software quality, even if they willfully insert backdoors in their software to serve their masters.

It doesn't come as a surprise that Windows 10 is super badly maintained. There are no real developers working on it, it doesn't get patched even with 0-days documented and out in the open for months, Microsoft continues to miss patch days because they simply can't manage... Microsoft thinks that software problems can be solved with legal teams, enforcers and lobbyists... but I think the end of that is very near, because it's surpassed even the most far-fetched thresholds of reason... Microsoft claims that Windows 10, starting from version 1607, is not an operating system any more, but a "service" that users use solely at their own risk and prejudice, but will that ever stand up in court... it has a kernel, it has an operating environment... yep, it's an operating system lol... it really is time for a major liability case against Microsoft, they really should reconsider what they are doing, and be forced to hire developers again and make a decent product that doesn't equate to criminal negligence and massive human rights violations. Luckily the Chinese can't be shut up by Microsoft, and occasionally come out to demonstrate a small part of the tip of the iceberg, even if that costs 105kUSD...


Well, piling on M$ misery there is also this:

If more modern games follow this trend and DX12 becomes obsolete, then M$ will most definitely loose the last strong compelling argument for gaming/graphic development on windows.


Good news all around, as it must be hammered into to their CEO's heads that it can't pay off to cut down quality control in the long run. There will be no change until it hurts.


The thing is, cutting down quality is part of their business module. Planed obsolescence is how they push their newest money grabbing scheme. Now that open source is catching up to them on the graphics front, they will be forced to change their approach...or maybe just buy out companies to use DX12...i have a feeling the later is the one they will go on.


Starting over 5 years ago I used to be friends with a Microsoft developer and he told me they're basically just dropping everyone.

Any critical code writing or management was dropped after working on win 10. I'd be interested to see the payroll list of people before and after finishing win 10

Around the time he told me that a bunch of YouTube and blog people that worked in MS came out and said they're laying off by the hundreds.


And they outright closed their security research center.

I think they want to phase out their operating systems and go leach on open source operating environments to sell their cloud and office application products.

Microsoft at this point is a real estate asset management company for Gates' estate that is focused on exploiting political corruption and social dumping practices to finance asset acquisition with subsidies and government contracts executed by exploited subcontractors.


Yeah they're definitely trying with their new version of "games for Windows live" program. Fortunately so far it has garnered quite a bit of bad press. As long as they keep fumbling...


That's what AT&T is doing now. We're just finding out the reason they bought DirectTV is so they can fire all of us who have been through 40 years of contract negotiation's to where we're protected. Then go and rehire and start the same positions under DirectTV title for less pay more hours and worse conditions.

Also they're contracting out literally all of our support and development teams to India or software companies.

Amazon was the first one to publicly come and say their goal is have minimal employees and whatever else they need contract it


All Linux distros have to do now is simplify the download process.
Microsoft will do the rest for them. lol


Wow, all I can think about are the countless windows servers running on hyper-v.

At one point our company was going to use virtual clients in windows haha.


I am not even a LITTLE bit surprised.

I wonder when higher placed MS butt-buddies in governments FINALLY go with pension and suchlike institutions go to other OS-es.

And... please not again one of those libre office Linux projects SET UP BY so called Microsoft specialists. You KNOW they will sabotage it either conscious or subconsciously.

Also... seems quite a few of those projects failed because people who have to work with such systems complain about incompatibility with windows. Uhhh... its NOT windows.. we just put that out of the door.

Tight... very tight reply! ;-)


There is an evolution though. People adapt. They go along with the corruption up to the point where they still fringe benefit from it, which is the case for quite a number of companies.

Example: a company needed a number of Windows 10 machines for CeBIT, which is happening right now and kind of a big deal. They bought all new hardware without storage, SSD's to go, and OEM DVD's (yeah, right, lol) of Windows 10 for those machines, as proposed by the Microsoft Certified Outlet of their choice, because assembling the machines themselves makes them eligible for OEM licenses, which are only 80 EUR.

Of course the Microsoft Certified Outpost didn't get the memo somewhere, because it wouldn't work. No problem said the good people of the Microsoft Certified Outcasts, we'll contact Microsoft to set things straight. So 10 days later, 24 hours before CeBIT, a staff member of mine gets contacted by this company, which still doesn't have a solution. So he rushes over with another staff member of mine to see what he can do. He also calls Microsoft, but to no avail (also, can somebody please explain why the Microsoft support staff in India quits after 8 pm Central European Time, wow they must have a fucked up sleep schedule over there lol)... so they just install OpenSuSE on all machines in literalls 11 minutes, and deploy Windows 10 installs in kvm containers on those machines in another 42 minutes, and all machines register no problem and the company is super happy because Windows runs much faster in a kvm box than on bare metal lol.

The entire system of Windows implementation is broken, every single facet of it is broken, it's just thoroughly dysfunctional beyond salvation. I understand that people don't want to deal with software and just want to run a boxed product without choice or options, as long as it gets the job done, but that's just it, it doesn't get the job done. There is only prejudice at this point. It's beyond ridiculous. Now get this: the Microsoft Certified Outhouse that couldn't solve the mystery of their own purpose in life, charged that company a hefty 4 figure amount for doing nothing but screwing up... whereas my colleagues got to solve everything for 225 EUR plus 40 kilometer transit charge and where out of there in less than 2 hours. I can assure you that that company has learned a valuable lesson they will not forget, unlike Microsoft or their Microsoft Certified Outages.


Reading through all the comments once agin proves that Microsoft is not a software/development company; it's an extremist capitalism corporation with no other interest than to make maximum profit. They don't care about providing a good service nor their employees.
MS is simply incapable and incompetent of developing or maintaining anything themselves, all they do is buy out competition , and not even competition - just random companies, and either destroy or kill the project, and apparently they can't even maintain their baby Windows properly lmao.


Why so much anxiety regarding this issue? Everyone says "imagine you're a service provider". OK. If I were a hosting service provider, I would never use Windows 10 as a host system. I wouldn't use Vmware Workstation as a hypervisor. Most likely, I wouldn't even use a hosted hypervisor at all.
And everyone is pissed at M$? Why? Because Vmware didn't do its job isolating guest from host?


Constructive criticism is constructive.



There are a couple of oddities in this conversation.

  1. If you are able to escape VMare's sandbox from guest to host then it seems to me that there is a problem with VMWare.

  2. That all operating systems have bugs and misconfigurations is the normal state of things.

  3. That VMWare Workstation is not a type 1 hypervisor has been stated already but is important in terms of reasonable expectations. Will it be generally secure? Yes. Will it be fully secure? Almost assuredly not.

  4. Type 1 hypervisors have provided strong separation of concerns for quite a long time and appear to have the ability to continue to do so.

The idea that poor or great operating system development will remove all leverageable bugs is unreasonable so in practice whether Microsoft has laid off folk doesn't have much to do with the underlying issues.

The lack of discussion that VMWare Workstation is primarily the responsible party for ensuring that there is an appropriate separation of concerns is a bit odd.

And finally, the idea that a HyperVisor hosted within any operating system will provide strong security, as opposed to the high convenience, and practical utility in development (not production) environments that they provide is generally bad thinking.


It looks more like an edge browser issue to me. More likely that this has been a known issue and never been patched due to someone like the NSA keeping it in use. who knows though could just be my inner skeptic.


To what end? Why would the NSA have need to spy on the 7 people who actually use edge😉

The argument, like the hack is mostly theoretical - in the real world this is just a desktop OS and a desktop hyper visor. Interesting hack but unlikely to be of use, so just a showcase of the hackers skills and Microsoft and VMwares need to keep on top of bug fixing.


Actually, I don't quite agree with that. The main problem here is edge and a windows kernel bug. Both of these are unpatched as of now. The second problem is that the VMWare vulnerability is only possible on a Windows host system, and that VMWare can't just patch that problem because it needs Microsoft to solve it.
And that's the main problem. Bugs and vulnerabilities happen in any and all software, regardless. In a modern world, it's all about response time, about patching before it becomes a real problem.

This is a very serious vulnerability that poses a real threat in many enterprise environments, because there is a transitional solution that many growing SME's use that does just this kind of thing, they are upgrading their infrastructure in phases, and are starting with running virtual environments on VMWare Workstation on Windows hosts while upgrading to ESXi environments.

Now patchday was a good week ago, no patch will be issued against this for at least another three weeks, IF Microsoft makes the deadline of April patch Tuesday, which is not very likely, and if they don't, chances are that they'll just skip the month, like they just did with February Patch Tuesday, even though that had to fix some very serious documented and published vulnerabilities. Then when March Patch Tuesday came, many machines choked on the patch and required reinstall and manual updating, exposing the systems even further and for a longer period.

This is exactly the kind of problems people run Windows in virtual environments for. They want to limit the damage, not if, but when something bad happens. It's pretty clear that virtualisation on Windows is not a solution for any problem. Oh and there will be vulnerabilities on open source platforms, some undiscovered for a long time, but one thing is for sure, when a vulnerability is discovered, it's always patched within hours of discovery, and always before publication, even if there is no money in it for security specialists, just because those specialists need their tools, and the tools they use are open source. That is the quality difference.