Allow option to disable "hardening" introduced in 4.3.14

This is for discussing general topics about how to use VirtualBox.

Re: Allow option to disable "hardening" introduced in 4.3.14

Postby poncho524 » 7. Aug 2014, 14:55

Perryg wrote:If you are a developer then you already know why the reason is not being published. Exploits are in the wild and no one wants to go there.

Just wanted to add a note about the philosophy of FOSS and security issues.

OpenSSL, which is All about security, is very open about what vulnerabilities they fix. Just take a look at some of their release notes.

I still dont understand why Oracle thinks its fine to not mention fixed vulnerabilities in their release notes (as if VBox's security is more important than OpenSSL).

It would be great to let us know what was deemed fixed. Maybe someone in the SW devel community could do extra testing on it and offer even better fixes.
poncho524
 
Posts: 45
Joined: 5. Mar 2008, 17:38

Re: Allow option to disable "hardening" introduced in 4.3.14

Postby Martin » 7. Aug 2014, 16:25

Is there a "SW devel community" for Virtualbox?
Over the last years I've only seen a few users trying to compile there own version, but no real indication that many developers outside Oracle where contributing.

From my point of view Virtualbox is a commercial application by Oracle where the "community" could use the source code if they wanted to.
Martin
Volunteer
 
Posts: 2340
Joined: 30. May 2007, 18:05
Primary OS: Fedora other
VBox Version: PUEL
Guest OSses: XP, Win7, Linux, OS/2

Re: Allow option to disable "hardening" introduced in 4.3.14

Postby therock247uk » 8. Aug 2014, 17:15

I don't see how one can sue you for damages relating to using free software heh, if people are using it for commercial purpose (and if something blew up and it kills really important data to the point where someone could be fired/hurt themselves) they should have there own version that has such hardening.
therock247uk
 
Posts: 10
Joined: 23. Jul 2012, 03:24

Re: Allow option to disable "hardening" introduced in 4.3.14

Postby socratis » 9. Aug 2014, 13:18

therock247uk wrote:how one can sue you

You're not living in the US, are you? Or in Greece for that matter... [citation needed].
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
socratis
Site Moderator
 
Posts: 27690
Joined: 22. Oct 2010, 11:03
Location: Greece
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5

Re: Allow option to disable "hardening" introduced in 4.3.14

Postby VM2VM » 7. Sep 2014, 01:51

I am new to VB forums, but this is one of the first threads I've read. I must say that the discussion is rather interesting, and still appreciate what little feedback was given by the Mods.
VM2VM
 
Posts: 19
Joined: 7. Sep 2014, 01:26

Re: Allow option to disable "hardening" introduced in 4.3.14

Postby MysteryGuy » 16. Oct 2014, 17:11

From a prior post:

> Are the developers going to have to explicitly white-list every single user request?

I was waiting for a 'fixed' version to appear, but I see that people still are having issues even in 4.3.18.

I would like to know if the current plan is that every 'incompatible' applications (SEP, etc.) module needs to be white-listed or if this is just supposed to work once all the bugs are ironed out.

If it turns out that every point upgrade of SEP, etc. breaks Virtualbox until a future version is released with the new signatures, then that seems like it will be a major pain...
MysteryGuy
 
Posts: 3
Joined: 26. Sep 2013, 22:01

Re: Allow option to disable "hardening" introduced in 4.3.14

Postby Petr Vones » 19. Oct 2014, 13:34

Follow up of offtopic discussion (started by me) here https://forums.virtualbox.org/viewtopic.php?f=6&t=64111

poncho524 wrote:You could say something like:
(a) The vulnerability allows for arbitrary code to be run with privileges on the Host OS, given that the Host OS has already been compromised.
[or] (b) This could allow crossover from guest to host (if thats true, that would be a Big Deal)

This is still my only question. I fully understand why the details are not disclosed. But the basic resolution between the (a) and (b) case should be said. My understanding is that all of this is the (a) one. In this case it is up to user responsibility to keep his/her host system clean. There are Windows features like Software Restriction Policy that effectively prevents loading "bad" DLLs from unwanted locations (temp or documents folders) accessible for write under non-administrator account at OS level (if someone lets his/her system to infect by a malware under administrator account, nothing can help there). Again, I can not agree that there is something wrong with Windows API design related to loading DLLs as has been criticized in recent discussion.

socratis wrote:Just to add to what Perry said, imagine the two potential release notes:
[*]Fixed a vulnerability where a guest could gain administrator access to the host (CVE ###).

I am not sure that is the case due the lack of information. Based on available information and current issues I tend (hope) to believe it is the (a) case.
Petr Vones
 
Posts: 61
Joined: 27. Dec 2012, 01:20
Location: Czech Republic
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 10 64-bit

Re: Allow option to disable "hardening" introduced in 4.3.14

Postby socratis » 19. Oct 2014, 14:53

I was just throwing a "For example..." on why they do not disclose the exact information on the nature of the vulnerability, or how to reproduce it. But I believe that michaln has already answered your question:
michaln wrote:The problem was, in a nutshell, privilege escalation on the host. In other words, trouble caused by a malicious user or malicious software running with user privileges.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
socratis
Site Moderator
 
Posts: 27690
Joined: 22. Oct 2010, 11:03
Location: Greece
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5

Re: Allow option to disable "hardening" introduced in 4.3.14

Postby Petr Vones » 19. Oct 2014, 20:04

socratis wrote:But I believe that michaln has already answered your question:
Not exactly. We know the result but not its cause. It is still open question whether it is (a) or (b) or different case. It is huge difference between the (a) or (b) impact. To say that in a simple way: (a) is user's fault, (b) is VirtualBox's fault.
Petr Vones
 
Posts: 61
Joined: 27. Dec 2012, 01:20
Location: Czech Republic
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 10 64-bit

Re: Allow option to disable "hardening" introduced in 4.3.14

Postby Perryg » 19. Oct 2014, 20:14

@ Petr Vones,

I can appreciate tenacity, but you are moving well beyond what is reasonably acceptable and into the realm of just being a pain . Please accept that you will never be told unless you buy out Oracle and drop the issue.
Perryg
Site Moderator
 
Posts: 34373
Joined: 6. Sep 2008, 22:55
Primary OS: Linux other
VBox Version: OSE self-compiled
Guest OSses: *NIX

Re: Allow option to disable "hardening" introduced in 4.3.14

Postby Petr Vones » 19. Oct 2014, 20:34

Perryg wrote:but you are moving well beyond what is reasonably acceptable and into the realm of just being a pain
It is not the first time I hear that :D Ok, you win.
Petr Vones
 
Posts: 61
Joined: 27. Dec 2012, 01:20
Location: Czech Republic
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 10 64-bit

Re: Allow option to disable "hardening" introduced in 4.3.14

Postby Petr Vones » 27. Nov 2014, 15:47

Petr Vones
 
Posts: 61
Joined: 27. Dec 2012, 01:20
Location: Czech Republic
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 10 64-bit

Re: Allow option to disable "hardening" introduced in 4.3.14

Postby mpack » 27. Nov 2014, 16:12

I feel this topic has run it's course, and become sterile. Locking it.
mpack
Site Moderator
 
Posts: 31415
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Previous

Return to Using VirtualBox

Who is online

Users browsing this forum: No registered users and 16 guests