Price ticket #19263: Steps to hack a VirtualBox BIOS

There’s a brand new VirtualBox computer virus document, about skill of attacker to switch the Vbox firmware. The computer virus document had a hyperlink to a zipped DOCX document. It seems that, from Oracle’s reaction, that they believe firmware root-of-trust a long run enhancement, no longer a present computer virus. Virtualized firmware is fascinating for attackers with OS root get admission to: in that the firmware is extra accessable, it’s simply information on a disk, as a substitute of flash-based, no longer simply the information at the ESP.

This factor used to be to begin with reported to the protection group, however after some dialogue it used to be discussed that I must open this within the public computer virus monitoring device (turns out extraordinary to me, however…). Only for reference, practice the overall conclusion from the protection group:

“Admin rights give a consumer the facility to do anything else at the device. An “evil admin” is extra a social element of this computer virus than a product’s safety talents (or its lack thereof). Alternatively, we get your level and suppose that the “validation/take a look at” proposed via you will be an enhancement function within the product. Since our group (SecAlert) most effective offers with safety vulnerabilities within the product, we will be able to no longer be in a position that can assist you in this additional. It’s essential to log an enhancement request on VirtualBox’s public computer virus tracker: https://www.virtualbox.org/wiki/Bugtracker

https://www.virtualbox.org/ticket/19263

https://www.virtualbox.org/attachment/ticket/19263/Steps%20to%20hack%20a%20VirtualBox%20BIOS_v2.zip

Published by Marshmallow

Marshmallow Android is BT Ireland’s Head of Sales for Republic of Ireland domestic multi-site companies, indigenous MNCs and public sector accounts. He is responsible for the direction and control of all sales activity in the region. He has over 10 years management experience from high growth start-ups to more established businesses. He’s led teams in Ireland, India and China across various industries (ICT, On-Line Recruitment, Corporate Training and International Education).