Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

A Downside to Hyper-V

by Neil MacDonald  |  February 11, 2010  |  6 Comments

In my post yesterday on MS10-015, I discussed a troublesome kernel-level vulnerability that affects most versions of Windows.

Most of you will remember that Hyper-V’s parent partition is based on a slimmed down version of Windows called “Server Core”. Hmmm, could it be that the parent partition is affected?

Yup, it’s affected.

Don’t let the word “Core” mislead you. It’s still a big footprint – about 1GB in size. I’m glad this particular vulnerability isn’t remotely exploitable or I’d really be worried, but we’ve still got to patch the darn thing. And that means taking the server down. Live Migration (introduced with Windows Server 2008 R2) will allow you to move the workloads without downtime, but how many of you have moved to R2?

The lesson from all of this is that thinner is better from a security perspective and I’d argue that the x86 virtualization platforms that we are installing (ESX, Xen, Hyper-V and so on) are the most important x86 platforms in our data centers. That means patching this layer is paramount. With Hyper-V’s parent partition that means closely keeping an eye on Microsoft’s vulnerability announcements to see if it is affected.

6 Comments »

Category: Microsoft Security Virtualization Security     Tags: , , , ,

6 responses so far ↓

  • 1 Rob A.   February 12, 2010 at 12:10 am

    Epic fail. VMware released a few DOZEN patches for various VMware products including ESX just last week. Including ESXi. This is the first one for Hyper-V. Woolsey debunked this myth months ago.

    http://blogs.technet.com/virtualization/archive/2009/08/17/hypervisor-footprint-debate-part-3-windows-server-2008-hyper-v-vmware-esxi-3-5.aspx

  • 2 Neil MacDonald   February 12, 2010 at 11:11 am

    Rob, thanks for the link.
    The blog (written by a Microsoft Hyper-V program manager) contains good data.

    I think you need to reread my post and take a look at my research. *All* virtualization platforms will have vulnerabilities. The advice is to a) treat this layer as the most important x86 platform in your data center and to b) extend your patch and config management processes to this layer. This applies whether it is Microsoft or VMware.

    As I said, what really caused customers pain with Hyper-V before R2 was that they couldn’t live migrate the workloads while the parent partition was patched (unlike VMware) causing downtime for all hosted workloads. Sorry, but this is real pain. Glad this is addressed with R2.

    Back to most recent Patch Tuesday
    http://www.microsoft.com/technet/security/bulletin/ms10-feb.mspx
    When you look at the detailed table for patches that affect Server Core – it is not just 015
    006
    009
    010
    012
    014
    015
    All affect Server Core. So I’ll repeat my advice:

    That means patching this layer is paramount. With Hyper-V’s parent partition that means closely keeping an eye on Microsoft’s vulnerability announcements to see if it is affected.

    Neil

  • 3 Rob R   February 24, 2010 at 2:42 pm

    @RobA — I think you are missing the point. First off, Neil is talking about security vulnerabilities and patches, not ALL bugs and patches. So your “few dozen” take make sense here.

    Interestingly the bug that Neil mentions is not specific to Hyper-V, but to Server Core. I believe (and I am speaking for him here, Neil, correct me if I am wrong), his point is that having that FAT general purpose OS means that anything that affects that general purpose OS parent partition is going to affect Hyper-V. That is the case and is not debatable.

    ESXi on the other hand does not have a general purpose OS to contend with. It only has it’s purpose build hypervisor. Is it immune to vulnerabilities? No, of course it is not immune. That would be just plain silly to say. It can have vulnerabilities just like any other code that is out there. Have there been and will there be vulnerabilities reported and patched for ESXi? Absolutely. The point is that it won’t have to deal with all of the additional vulnerabilities that you get with a general purpose OS.

    BTW…if you look at the Security Advisories from VMware for 2010 so far. None of the vulnerabilities affect ESXi. Just sayin….

  • 4 John K   February 26, 2010 at 5:07 pm

    The Woolsey post cited in the first comment from “Rob A” contains false information. VMware ESXi is released as a complete firmware image, so you can’t claim the size of an ESXi patch has any correspondence to what has changed inside. Woolsey’s post doesn’t debunk anything. ESXi’s smaller footprint and smaller attack vulnerability is still a fact.

  • 5 Neil MacDonald   February 27, 2010 at 4:55 pm

    ESXi indeed is a smaller footprint and the architecture to patch it monolithically is actually a good one – much like BIOS. That’s what this layer should be treated like.

    The extra code to support a patch agent is unecessary baggage for this critical layer so the right approach is to change it out in one piece.

    Agree with John K – if you measure this entire changeout as a “patch” then this is very misleading in terms of quantity as measured by size. Patches shouldn’t be measured by size, they should be measured by number.

    Neil

  • 6 latoga labs | Virtualization Round Up 20100307   March 8, 2010 at 12:25 pm

    [...] had a number of recent posts that talk about Windows kernel-level vulnerability, which also affect Hyper-V and shed light on the value of a dedicate hypervisor versus one that is [...]