How do you pwn all your users at once? You suggest they upgrade, then laugh at them!

So suppose you are running some virtual machines in Oracle's VirtualBox. And suppose you are on version 4.3.x. And one day comes when VirtualBox pops up a dialog that niggardly informs you that a new version is available and you should upgrade.

And you do!

And once you do, you are no longer able to start any machines. None at all. They all just display a highly technical message box that says nothing more than something like "Error code 1, unable to start VM".

And only after trying just about anything in universe and downgrading all the way back to the old version, you realize that it works. Get it? New version does not work, old version works. So where would any reasonable person go in this predicament? To the manufacturer's web site, of course! www.virtualbox.org

And over there, deep in the forum threads about the countless bugs that users created, you will find a mention of "hardening". What is that and why did it whack you over the head?

Oracle:

Back around 4.3.12, someone found out that, because Virtualbox digs so deep into the host OS to allow guest OSs to run nicely, that on Windows hosts, malware could inject itself into the Virtualbox process and get higher privileges to run on the host OS than the malware could normally get and do more damage. It took some time for the developers to figure out what to do, but they finally settled on using the authenticity certificates Windows uses to check that files haven't been hacked. If all the program files on the Windows host are authenticated, Virtualbox will run. If there is one not authenticated because it has been hacked or because the authenticity certificate database hasn't been updated, then Virtualbox won't run. Theory is that since malware is very likely not authenticated by Windows, the malware won't be able to get in.

Theme hacks aren't usually signed, so Virtualbox won't run with them. Some Antivirus and video-card companies didn't sign their programs either, and when they did start signing, the problem went away. Some Microsoft updates did not update the certificate database for the new files, and triggered the problem. In all cases the issue is because the program that wants to inject into Virtualbox isn't signed right. Get the folks who make the program to sign the files right and Virtualbox will run.

Get it? If any driver, that VirtualBox uses, is not digitally signed by the vendor, VirtualBox will not allow you to start a virtual machine. It gives shit about you, it's for your own good! Just for you to be safe and sound, it will not allow you to start any of your VMs, but it will not tell you why. You will have to figure that one out yourself.

And read the above quote once again. It is a lie! The quoted above states that If there is one not authenticated because it has been hacked or because the authenticity certificate database hasn't been updated, then Virtualbox won't run. In reality, VirtualBox runs, but it does not allow starting of any machines and does not statte the reason. This is how Oracle spins its bugs as "benefits".

Posted by: LinuxLies at 06:57 PM | No Comments | Add Comment
Post contains 569 words, total size 3 kb.