Have you used Virtual Machine/Operating System Emulator software to use the Internet?

froggyboy604

Well-Known Member
Staff member
Manager
Full GL Member
29,630
2007
797
Credits
18,865
Mature Board Viewing
Unlock full profile styling
Yes, I used Virtual Machine/Virtualization Operating System software like VirtualBox to use the internet with operating systems like Windows, Linux, and Android running inside a Virtual Machine software.

I used Firefox, Chrome, and the built-in updaters in Linux installed on a Virtual Machine.

Recently, I used Android emulators like BlueStack to run Android web browsers and social networking apps like Instagram and Facebook within Android installed on Windows with BlueStack.
 
I've never used a VM before. I never really had a reason to use one. The main reason I see is to play .exe games that may be viruses and browse the deep web.
 
I use VMware Workstation 12 Player to run a webserver inside a Centos VM :) Yes it goes to the internet but only to get updates and nothing else.
 
We're doing it right now in servers class, it's a fun little set up.
 
I think hobbyist, and computer students mainly use Virtual Machine software to teach themselves about computer networking , and web server software without the need to buy many computers, servers, cables, routers, and switches which can be very expensive, use more electricity, and use up a lot of room space to house all the stuff which can be a problem if you live in an apartment, Trailer home, and other types of small homes.
 
Well here's some news about VMs:

RISK ASSESSMENT —
Virtual machine escape fetches $105,000 at Pwn2Own hacking contest [updated]
Hack worked by stitching together three separate exploits.

DAN GOODIN - 3/17/2017, 8:10 PM

Heather Katsoulis
Contestants at this year's Pwn2Own hacking competition in Vancouver just pulled off an unusually impressive feat: they compromised Microsoft's heavily fortified Edge browser in a way that escapes a VMware Workstation virtual machine it runs in. The hack fetched a prize of $105,000, the highest awarded so far over the past three days.

According to a Friday morning tweet from the contest's organizers, members of Qihoo 360's security team carried out the hack by exploiting a heap overflow bug in Edge, a type confusion flaw in the Windows kernel and an uninitialized buffer vulnerability in VMware, contest organizers reported Friday morning on Twitter. The result was a "complete virtual machine escape."

"We used a JavaScript engine bug within Microsoft Edge to achieve the code execution inside the Edge sandbox, and we used a Windows 10 kernel bug to escape from it and fully compromise the guest machine," Qihoo 360 Executive Director Zheng Zheng wrote in an e-mail. "Then we exploited a hardware simulation bug within VMware to escape from the guest operating system to the host one. All started from and only by a controlled a website."

Virtual machines are vital to the security of individuals and large organizations everywhere. In server hosting environments, they're used as a container that prevents one customer's data and operating system from being accessed by other customers sharing the same physical server. Virtual machines such as the VMware Workstation hacked Friday are also used on desktop computers to isolate untrusted content. Should the guest operating system be compromised through a drive-by browsing exploit or similar attack, the hackers still don't get access to data or operating system resources on the host machine.

Any hack that can break out of a widely used virtual machine is generally considered significant. The one described Friday is made all the more impressive because it works by exploiting Edge, which is regarded among security professionals as one of most challenging browsers to exploit. Typically, such remote-code exploits require two or more vulnerabilities to be exploited in unison. The requirement appears to be why the Qihoo team combined the heap overflow exploit with the Windows kernel hack. The description sets up a scenario in which malicious websites can not only compromise a visitor's virtual machine, but also the much more valuable host machine the VM runs on. At last year's Pwn2Own, contestants didn't attempt to target VMWare, an indication reliable exploits were probably worth more than the $75,000 prize that was offered at the time.

Friday's success underscores the central theme of Pwn2Own, that no operating system or application is immune to hacks that thoroughly compromise its security.

"A virtual machine hypervisor is just another software-based isolation layer that can have vulnerabilities in it that permit attacks to break through," Dino Dai Zovi, who is co-founder and CTO of Capsule8, which provides real-time threat protection for modern infrastructure, told Ars. "Isolation layers such as sandboxes, virtualization, and containerization all add more work for an attacker, but none are perfect. Defenders should always assume that they can be broken through with enough work by an attacker."

Dai Zovi was the winner of a $10,000 prize 10 years ago, the first year Pwn2Own was held. He won it for an exploit that fully commandeered a MacBook Pro.

The VM escape came on the third and final day of the 2017 Pwn2Own hacking competition in Vancouver, British Columbia. Pwn2Own is organized by Trend Micro's Zero Day Initiative group. The contest attempts to crudely replicate the workings of a real-world zero-day market by paying cash prizes for hacks that completely hijack computers running fully patched versions of widely used operating systems and applications. This year's contest paid $233,000 on day one and $340,000 on day two. More details about the exploits that fetched those awards are here and here. Contest organizers and participants typically keep exploit details confidential until after the underlying vulnerabilities have been patched.

This post was updated to add exploit details provided by Qihoo 360.

Source: Virtual machine escape fetches $105,000 at Pwn2Own hacking contest [updated]
 
Well here's some news about VMs:

RISK ASSESSMENT —
Virtual machine escape fetches $105,000 at Pwn2Own hacking contest [updated]
Hack worked by stitching together three separate exploits.

DAN GOODIN - 3/17/2017, 8:10 PM

Heather Katsoulis
Contestants at this year's Pwn2Own hacking competition in Vancouver just pulled off an unusually impressive feat: they compromised Microsoft's heavily fortified Edge browser in a way that escapes a VMware Workstation virtual machine it runs in. The hack fetched a prize of $105,000, the highest awarded so far over the past three days.

According to a Friday morning tweet from the contest's organizers, members of Qihoo 360's security team carried out the hack by exploiting a heap overflow bug in Edge, a type confusion flaw in the Windows kernel and an uninitialized buffer vulnerability in VMware, contest organizers reported Friday morning on Twitter. The result was a "complete virtual machine escape."

"We used a JavaScript engine bug within Microsoft Edge to achieve the code execution inside the Edge sandbox, and we used a Windows 10 kernel bug to escape from it and fully compromise the guest machine," Qihoo 360 Executive Director Zheng Zheng wrote in an e-mail. "Then we exploited a hardware simulation bug within VMware to escape from the guest operating system to the host one. All started from and only by a controlled a website."

Virtual machines are vital to the security of individuals and large organizations everywhere. In server hosting environments, they're used as a container that prevents one customer's data and operating system from being accessed by other customers sharing the same physical server. Virtual machines such as the VMware Workstation hacked Friday are also used on desktop computers to isolate untrusted content. Should the guest operating system be compromised through a drive-by browsing exploit or similar attack, the hackers still don't get access to data or operating system resources on the host machine.

Any hack that can break out of a widely used virtual machine is generally considered significant. The one described Friday is made all the more impressive because it works by exploiting Edge, which is regarded among security professionals as one of most challenging browsers to exploit. Typically, such remote-code exploits require two or more vulnerabilities to be exploited in unison. The requirement appears to be why the Qihoo team combined the heap overflow exploit with the Windows kernel hack. The description sets up a scenario in which malicious websites can not only compromise a visitor's virtual machine, but also the much more valuable host machine the VM runs on. At last year's Pwn2Own, contestants didn't attempt to target VMWare, an indication reliable exploits were probably worth more than the $75,000 prize that was offered at the time.

Friday's success underscores the central theme of Pwn2Own, that no operating system or application is immune to hacks that thoroughly compromise its security.

"A virtual machine hypervisor is just another software-based isolation layer that can have vulnerabilities in it that permit attacks to break through," Dino Dai Zovi, who is co-founder and CTO of Capsule8, which provides real-time threat protection for modern infrastructure, told Ars. "Isolation layers such as sandboxes, virtualization, and containerization all add more work for an attacker, but none are perfect. Defenders should always assume that they can be broken through with enough work by an attacker."

Dai Zovi was the winner of a $10,000 prize 10 years ago, the first year Pwn2Own was held. He won it for an exploit that fully commandeered a MacBook Pro.

The VM escape came on the third and final day of the 2017 Pwn2Own hacking competition in Vancouver, British Columbia. Pwn2Own is organized by Trend Micro's Zero Day Initiative group. The contest attempts to crudely replicate the workings of a real-world zero-day market by paying cash prizes for hacks that completely hijack computers running fully patched versions of widely used operating systems and applications. This year's contest paid $233,000 on day one and $340,000 on day two. More details about the exploits that fetched those awards are here and here. Contest organizers and participants typically keep exploit details confidential until after the underlying vulnerabilities have been patched.

This post was updated to add exploit details provided by Qihoo 360.

Source: Virtual machine escape fetches $105,000 at Pwn2Own hacking contest [updated]

I wonder if the same security vulnerability or similar security problem works in Internet Explorer 11 for Windows 10 running in a VM. Microsoft Edge is a new web browser, so there maybe more undiscovered security problems which are not yet found, and reported to MS.
 
Danielx64 Danielx64 so with VM they were able to exploit W10 with edge browser?
You tie up 3 different exploits together in a chain. You exploit the Edge browser. Then you exploit the Windows 10 kernel using the first exploit. Lastly with the 2 exploits linked together you can then break out of the VM using a 3rd exploit and take over the host machine.
 
I wonder if the same security vulnerability or similar security problem works in Internet Explorer 11 for Windows 10 running in a VM. Microsoft Edge is a new web browser, so there maybe more undiscovered security problems which are not yet found, and reported to MS.
That's a good question. By design Edge is supposed to be sandboxed and more secure than IE. I wouldn't know to be honest.
 
You tie up 3 different exploits together in a chain. You exploit the Edge browser. Then you exploit the Windows 10 kernel using the first exploit. Lastly with the 2 exploits linked together you can then break out of the VM using a 3rd exploit and take over the host machine.

huh, interesting.
 
Back
Top