back to article We don' need no stinkin' bounties: VirtualBox guest-to-host escape zero-day lands at GitHub

An infosec researcher has expressed his frustration with disclosure processes by going public with a zero-day in VirtualBox, Oracle's open-source hypervisor. The vulnerability was published at GitHub by "MorteNoir1" accompanied by a demonstration video on Vimeo posted by Sergey Zelenyuk. In the GitHub post, MorteNoir1 …

  1. DJV Silver badge

    I suspect many long-standing VirtualBox users were as dismayed as I was when Sun bought the original VirtualBox company. I bet many were also horrified when Oracle bought Sun - I certainly was. At least MySQL has been (sort of) 'rescued' from Oracle's clutches in the form of MariaDB. I really hope VirtualBox has some sort of escape plan in place as well.

    1. Anonymous Coward
      Anonymous Coward

      As long as a company doesn't make enough money one way or the other (selling products, subscriptions, or being funded by other entities) their destiny is to close or be acquired.

    2. bombastic bob Silver badge

      when Sun bought VirtualBox the first thing I saw was increased support over what qemu and kqemu had given you [what virtualbox was originally based on]. I saw devotion to NON-windows operating systems and I was happy. I think Sun was behind multi-core support in virtualbox, which I thought was AWESOME.

      So far I'm not seeing "bad things" while Oracle has it, although you might say that the lack of urgent response to zero-days and months-long delays in fixing might be Oracle's bureaucracy...

      oh, and that dreaded "just get the newest version" so-called FIX that was also mentioned in another post... this is open source and patches _ARE_ possible, given a pull request that can be adapted to earlier (stable) releases [as needed].

      1. werdsmith Silver badge

        As I have a policy giving oracle a wide berth I don't use virtualbox, I try where-ever possible to avoid java.

        Because one day I just feel that oracle are going to show up with lawyers and tell me that they own my house.

        1. Yet Another Anonymous coward Silver badge

          Only if they already have your immortal soul and first born son

  2. Anonymous Coward
    Anonymous Coward

    Fair enough

    He makes fair points. I'm not into bug hunting but I've heard similar complaints rather frequently over the years.

    Before anyone mentions "responsible disclosure": he gives instructions on how to prevent exposure which are of equal or better value than the "upgrade as soon as possible" advice given when disclosure is made from the vendor.

  3. Anonymous Coward
    Anonymous Coward

    I was going to ask for Chris Williams' technical analysis but no need: the write-up in github is excellent.

  4. MacroRodent


    ...that the paravirtual card is unaffected (by this bug at least). Savvy uses of Linux in VirtualBox prefer it anyway for performance reasons, as it is an interface designed for virtual machines, not a simulation of some real hardware.

    1. amanfromMars 1 Silver badge

      Re: Lucky

      not a simulation of some real hardware.... MacroRodent

      Is One So Sure? Such Offer Almighty Run AI Programs to Crash BetaTest to Perfect Sweet Satisfaction of All.

      Is IT ProgramMING from here too with you? Are you Virtually Enabling and Able to Cast Future Dream Spells to a Choosy Few for Crashing ...... XQuiSite Penetrations Testing to XSSXXXX Levels of LOVEly Attention ..... Mutually Beneficial Climaxes.

      The AAAIPrime Building Block upon which Everything Revolves and Creates Thoughts to Present as the Future View Tomorrow. ..... with Further Exercise of Energy Source Provisions, Reinforcing Confirmation of the 0riginal Gift Granted/Nicely Well Learned and Earned?

      :-) A Vatican Riddle UnSaddeled of Orthodoxy and Set Free into the Deep Pinnacles of Perfect Temptation and Immaculate Desire. ..... for Behind PadLocked Catacomb Pleasure Enterprise Doors Testing/Servicing and Servering of AAAIPrime Building Block Assets/Gifts Granted

      Nymph/Satyr/King/Queen/Manly/Womanly/Alien/ExtraTerrestrial Lands and NewTerritory4U2?

      1. amanfromMars 1 Silver badge

        Re: Lucky

        Be Hereby Warned ....... Further than Here is Totally Immersively Addictive and that can easily be Turned to Address the Attention and Intention that is Fallen Fallow and Foul and Plans for Deadly Deeds that Release Ancient Daemons.

        What are they to be? In Guardian or Avenging Angels Phorm? What has you bested and surrendered in willing submission to a new path and role/new paths and roles?

        1. Cliff Thorburn

          Re: Lucky

          The phrase “Damned if I do, Damned if I don’t springs to mind amfM, although what is and always has been seriously underequipped, underresouced, and as is evidenced daily pre ordained drivered deliverables despached, in Greater Game Global Operating Devices we trust seems to be the order of the day, lets hope and pray a Merry Xmas for all ..

  5. GnuTzu

    Last Time I Tried Running VirtualBox...

    Last time I tried running VirtualBox, there were compatibility issues. Having not revisited it, I'm wondering what progress has been made since. Not being a fan of monopolies and monopolistic corporate behavior, I'd really like to hear that there's more healthy products of this sort, ones with a future, ones able to dislodge themselves from the likes of Oracle (@DJV, voted up).

    BTW, I was fine with Oracle when they were just Oracle. But, these "portfolio" companies appear to, shall I say, dilute the focus of their workforce and thus the quality of their products. Yes, they get more customers with a portfolio of products, but those customers eventually end up with lesser quality products. I fear it's not a healthy aspect of the market.

    1. DJV Silver badge

      Re: Last Time I Tried Running VirtualBox...

      A while back they were adding hardening and this caused a large number of hiccups. They appear to be (mostly) over the problems that caused now.

  6. bombastic bob Silver badge

    I happen to like virtualbox

    I happen to like virtualbox, but I don't open up my VMs to 3rd parties. In cases where it _MIGHT_ happen, I can at least make sure root has a *strong* password/phrase.

    I'll look into the 'paravirtualization' workaround anyway. Years ago I had trouble setting up thing like that, so new VMs aren't using "that", but since then it's probably working correctly so I'll re-visit.

    In the mean time, vbox "NAT" lacks IPv6 support... so maybe "it's time" to look at another way to do networking.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like