2010
02.12

Ah, it takes a patch to find out who’s really thinking what :)  As you are now aware, Hyper-V had it’s very first (ever) security patch this week.  Not bad (typical Irish understatement) after a year and a half of being the most accessible hypervisor ever.  Just think of how many volume license, OEM, TechNet, MSDN, evaluation and pirated copies of Windows Server 2008 and Windows Server 2008 R2 must be out in the world, not to mention the free to download Hyper-V server, and that it can run on most hardware around in the last few years.  I’m betting people in parent’s basements were attempting to find vulnerabilities since the emergence of the first beta for Hyper-V, around 2 years ago.

And after all that time and opportunity, 1 security hole was found.  It isn’t even the dreaded “break out” where a VM is capable of reaching out and accessing the host and other VM’s.  No, it was a DOS attack where the hypervisor would shut down.  And you had to be logged into a VM on the host with admin rights!

I’ve noticed a lot of tweets in the last 48 hours of people writing with glee about a dreaded problem, implying that Hyper-V is inferior.  Oh, get over it!  I can think of another hypervisor from a certain company that has suffered from a break out attack.  Its patches are a complete OS upgrade and they break the host on a way too frequent basis.  So much so, in fact, that experts in that technology run 1 “service pack” behind the latest release to stay safe.

It’s a secure platform.  Think of all those attackers who hate Microsoft and have the chance to attack the most available hypervisor around and we get 1 patch in 2 years (since beta).  That’s unbelievable.  The basic architecture requirements (DEP) prevent buffer overrun attacks on the host from a VM.  The German government has certified it as being secure … trust me if you are unfamiliar with working in Germany … that doesn’t happen by accident.  Every piece of complex software has vulnerabilities and bugs.  If you didn’t learn that in programming classes in college then you need to ask for a refund.  The fact is that Hyper-V is so well designed and implemented that it’s taken quite some time for one to be found.  And Microsoft reacted perfectly about it.

So before you go running to the woods to get some kindling for the witch burning, sit back, breath into a brown paper bag and realise that this is not the end of the world for Microsoft virtualisation.  It’s actually not bad at all.  It was one small patch that was quick and easy to download and installed reliably. 

4 comments so far

Add Your Comment
  1. Hi Aidan, I totally agree with you about the fact that every platform has its problems and bugs, and I do agree that Microsoft are becoming better all the time with the response time and fixes for the problems found. I do feel that the reason that all the flak that is directed at Microsoft on this one is because they did, and still do the same thing in VMware’s direction.
    Concentrate on your own advantages, don’t emphasize how much and why you are better because the competition is (in Microsoft’s opinion) worse.

  2. Nice way of emphasizing the quality of the Microsoft hypervisor.
    I guess MS could use this single minor flaw as a marketing instrument :-)

    • If I was a marketing person or a DPE then I would actually spin it that way. It is something MS should be proud of and beating the drums on.

  3. Very impressive, one patch in almost two years. But it’s puzzling…

    In reality, there is no Hyper-V apart from Windows Server 2008. Any patch needed for Windows Server (Core if you prefer) is a patch for the virtualization platform, isn’t it?

    Eric (Disclosure: VMware employee)

Get Adobe Flash player