VirtualBox Zero-Day Vulnerability Published

By

An independent security expert published the vulnerability to expose the flaws of the infosec community.

Oracle VirtualBox is one of the most popular solutions for running virtual machines. An independent researcher, who goes by the handle MorteNoir1, has found a zero-day vulnerability in this venerable software that can allow a malicious program to escape the virtual environment and compromise the host machine.

“According to Zelenyuk, the vulnerability allows an attacker or a malicious program with root or administrator rights in the guest OS to escape and execute arbitrary code in the application layer (ring 3) of the host OS, which is used for running code from most user programs with the least privileges,” wrote The Hacker News.

The author went ahead and actually published his findings because he was frustrated with the state of the infosec community. MorteNoir1 wrote on the GitHub page that he loved VirtualBox and it has nothing to do with why he published a 0day vulnerability. He wrote that it’s considered OK to wait for more than half a year before a vulnerability is fixed (remember, in case of Intel the company didn’t even disclose Spectre/Meltdown flaws for more than six months).

At the same time, MorteNoir1 criticized the bug bounty programs where it’s ok to “Wait more than a month until a submitted vulnerability is verified and a decision to buy or not to buy is made,” he wrote.

MorteNoir1 then criticized the infosec community. “Delusion of grandeur and marketing bullshit: naming vulnerabilities and creating websites for them; making a thousand conferences in a year; exaggerating the importance of own job as a security researcher; considering yourself "a world savior." Come down, Your Highness.”

This disclosure is less about the bug itself and more about how the infosec community works. 

11/20/2018
comments powered by Disqus