IBM:漏洞增大虚拟化风险
星期五,一位安全专家说:"研究者开始关注发现虚拟软件的漏洞,破了大部分的公认的安全系统"。
一份关于VMware流行虚拟化软件漏洞被公开披露的调查显示,在流行虚拟软件VMWARE中发现的100个漏洞中有3/4的漏洞是自1999年起最近两年发现的,IBM的互联网安全系统研究组的主任kris lamb在星期五的一篇博客中说“将近百分之六十的漏洞发现能被远程利用”。
“很显然,从2006年随着受欢迎程度,针对性和部署虚拟化的增加,发现漏洞的方向越来越集中于发现利用虚拟技术的方法。”Lamb写到。
Lamb强调虚拟并不等于安全。他指出,就在上周,iss披露了许多虚拟产品的漏洞。另外,最值的注意的安全专员joana routowska声称能够建立一个几乎不可能被发现的后门通过控制主机程序来管理虚拟机。
vmware没有对此立刻发表评论。
IBM: Flaws underscore virtualization risks
Researchers have focused on finding vulnerabilities in virtualization software, undermining much of the promised security of such systems, stated one security professional on Friday.
A survey of the vulnerabilities publicly disclosed in VMWare's popular virtualization software discovered that almost three-quarters of the 100 flaws discovered since 1999 were found in the last two years, Kris Lamb, director of IBM's Internet Security Systems' research group, stated Friday in a blog post. Nearly 60 percent of the vulnerabilities found could be exploited remotely, Lamb said.
"It is clear that, with the increase in popularity, relevance and deployment of virtualization starting in 2006, vulnerability discovery energies have increasingly focused on finding ways to exploit virtualization technologies," Lamb wrote.
Lamb underscored that virtualization does not equate to security. He pointed out that, just this past week, ISS disclosed a vulnerability in a number of virtualization products. Others, most notably security researcher Joanna Rutkowska, have claimed to be able to create a nigh-undetectable rootkit by taking control of the host process that manages virtual machines.
VMWare could not immediately be reached for comment.