It has already been discussed and conveniently moderated how pointless it is for VirtualBox to try to dictate what to do in an infected system. It's simply counterproductive sacrificing security and usability for something like that. VirtualBox already does a great job keeping things from getting out, but host security should be left to the system and user.michaln wrote:Well, if others insist on creating security holes, that's one thing, but we can't tolerate it, sorry. If the DLL can't be signed, we can't have it in the VM process. If it's not worth signing, it's probably not worth running anywayCaptainFlint wrote:I have FlashFolder on my computer installed. This is a free (open source, actually) software, its injection DLL is located in its installation directory, and I strongly suspect that its author does not intend to spend money on buying a valid signature. At least, if I were him I wouldn't.
I hope you will at least agree that injecting random code into random processes is, in fact, a giant security hole. It's a 1980s design done in a very different world.
What is VirtualBox trying to protect anyways? We're not running hypervisors where the guest may be more important than the host which is bare-metal so you shouldn't have to worry about DLL injections in the first place. I'm absolutely certain that this hardening will only cost Oracle users in real-world situations.