Windows Vista Virtualization Limitations

Microsoft limits the integration of virtualization technology and its latest operating system due to security concerns. Only Windows Vista Business, Enterprise and Ultimate can function as both guest and host operating system, the use of Home Basic and Home Premium editions with hardware emulating technology being expressly forbidden in the operating system's EULA. Otherwise, Microsoft has taken no actual steps to limit the implementation of hypervisors in or with any of the editions of Vista. Still, Microsoft's August 2007 Security Bulletins release offered an insight into why the company has ostracized Home Basic and Home Premium when it comes down to virtualization.

Microsoft Security Bulletin MS07-049 made available in mid August, and rated with a severity rating of important as it allow for elevation of privileges, is designed to patch a vulnerability in Virtual PC 2004, in Virtual Server 2005 and in Virtual PC for Mac. A successful exploit of the vulnerability could have resulted in the complete takeover of the host operating system by running code in the guest platform.

"An attacker with administrator permissions to the guest operating system, could exploit the vulnerability by running specially crafted code on the guest operating system. This could result in a heap overflow on the host or other guest operating systems. An attacker who successfully exploited this vulnerability could take complete control of an affected system", Microsoft informed in the release.

"If an attacker can get malicious code running inside the guest operating system, there was potential to "break out" and run code on the host OS. We stated in the bulletin that malicious code that runs inside a virtual machine can take complete control of the host system and that's true. "Virtual Server" is the affected service in the case of a Virtual Server 2005 compromise. This service runs in the security context NetworkService. Anytime malicious code runs on your system, it is bad news, but it is pretty hard to escalate from NetworkService to LocalSystem when you're running with fully-updated Windows Server 2003," revealed a member of the Microsoft Security Response Center.

Virtual PC is less exposed to attacks in case the tool is run with non-administrative privileges. The impact of the virtualization class of vulnerabilities is reduced when the application functions with standard user privileges.