virtualbox.org

Hi, I came across an advisory for a priviledge escalation vuln that is realated to how 64bit Intel chips handle stack frames. Can a dev please comment on whether this affects virtualBox or not?

Please check out the details here:
http://www.kb.cert.org/vuls/id/649219

According to the prodcut listing Xen is affected - but its a paravirtualizer so things may be very well different for full virualizers. Also Oracle corp. is listed as one of the informed parties but it doesn't exactly state which products are affected; maybe just the Xen based Oracle VM?

As you said VirtualBox is not Xen, but regardless you probably will not hear about it here. Security issues are treated in secret and Oracle prevents anyone from talking about them in public. I am certain that the DEVs are fully aware of the notice.

Does that mean they will never list it as fixed even after a patch is issued?

If it is deemed to be an issue and you are subscribed to Oracle security update notification or you check it regularly you will see if and when there is an update should it apply.

Without making any official statement, I would suggest to review the VMware response to this issue, consider the differences between Xen and VMware/VirtualBox, and extrapolate from there.

Thanks for the heads up Michal

Considering this is an Intel CPU bug, I expect Intel to fix it in firmware or BIOS update.