RE: New Virus Expected to hit today (fwd)

In the message "[MAGNet] RE: New Virus Expected to hit today (fwd)",
dated 2004-07-28, Michelle Bautista wrote:

>I've got a user that does extensive programming in Virtual PC. We've
>struggled in trying to make sure that her Virtual PC is up to date to
>prevent it from being nailed by all these worms.
>
>She found out from Microsoft that the KB835732 fix, which plugs up the
>Sasser worm hole, breaks W2K in Virtual PC. Now our issue of course is
>that in order to use Virtual PC she'll have to go without this fix. How
>vulnerable is she?
>
>Does the Apple firewall create any protection for her in Virtual PC?

Ellen England wrote, in a message included in Michelle's query:
>I think (I hope) it's not an issue at home because my Mac/VPC is
>behind the Airport firewall. But what about here? Would that impose too
>much of a threat?

   My (likely naive and incomplete) understanding is that any host
that is, virtually-speaking, 'behind' a router which provides Network
Address Translation (NAT) services - and this may include the Apple
Airport Base Station or Airport Express, if appropriately configured
- can't be directly attacked by an exploit like Sasser. This is
because the IP addresses of the machines behind these routers are on
a private network, rather than on the public Internet. They would
thus not be accessible to worms which carry out scans of - or even
attempt to blindly send packets to certain ports at - hosts at public
IP addresses.

   As to whether a host-based software firewall under Mac OS X would
protect a Windows environment running under Virtual PC on that
Macintosh, that might depend in part on how Virtual PC's networking
is configured. There appear to be at least two configuration
options: Shared Networking and Virtual Switch. The Shared Networking
option is described in:

   http://support.microsoft.com/default.aspx?kbid=824508&product=vpcwin2004

   The Shared Networking option would appear to be the more secure,
albeit more limited in its functionality. It *might* even be
analogous to having the virtual Windows PC reside behind a NAT
router. It is also possible that the Shared Networking option might
allow incoming traffic to the Virtual PC, in effect, to be protected
by a software firewall running on the host Macintosh, such as the
integral Apple ipfw firewall or Norton Personal Firewall.

   I don't know this definitively, but that's a working hypothesis.
Anyone else know this for sure? :-) One possible way of testing this
in the Virtual PC environment would be use online vulnerability
scanners such as "Shields Up" <http://grc.com/> and their equivalent,
both in Shared Networking and Virtual Switch configurations.

Aron Roberts
Workstation Software Support Group

------------------------------------------------------------------------
The following was automatically added to this message by the list server:

For information about MAGNet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the MAGNet Web site at <http://magnet.berkeley.edu/>.
Received on Wed Jul 28 14:47:20 2004