Microsoft has released a security update for supported releases of Microsoft Virtual PC 2004, Microsoft Virtual Server 2005, Microsoft Virtual Server 2005 R2, Microsoft Virtual PC for Mac Version 6.1, and Microsoft Virtual PC for Mac Version 7 that are affected by this vulnerability.
Microsoft recommends that customers apply the update at the earliest opportunity
Versions that are not affected by this vulnerability: Microsoft Virtual PC 2007 and Microsoft Virtual Server 2005 R2 SP1
The vulnerability in Microsoft Virtual PC and Microsoft Virtual Server could allow a guest operating system user to run code on the host or another guest operating systems. Only guest operating system users who are granted administrative permissions to the guest operating system would be able to exploit this vulnerability. Guest operating system users not granted administrative permissions to the guest operating system would be unable to exploit this vulnerability.
The security updates for all affected versions of Virtual PC and Virtual Server can be found here.
Known Issues with the updates:
Known issues with this security update
• If the you install the 64-bit version of update 937986 on a 32-bit operating system, the installation fails. This issue occurs because the Advpack.dll file experiences an error when creating the process for the update. You receive a warning dialog box that states that the update did not install.
• When the update 937986 is applied on a remote machine by using Terminal Services, the update does not replace the vulnerable files if the /console option is not used. To avoid this issue, you must use the /console option as shown in this example:
mstsc /console /v:<machine name>
• This update is not supported in Windows Vista. If your computer is running Windows Vista, we recommended that you use either Virtual PC 2007 or Virtual Server 2005 R2 SP1 depending on your requirements. Neither of these two applications has the vulnerability described in Microsoft Knowledge Base article 937986.
Recent Comments