I run several VMs at the same time, occasionally one will freeze. I think it's just the video/display that freezes while the browser/whatever in the guest VM still operates normally.
The title should really say that they've been patched.
Edit: The first sentence:
> Oracle has released patches for ten vulnerabilities in VirtualBox which allow attackers to break out of guest operating systems and attack the host operating system that VirtualBox runs on.
Thanks. The article didn't say when the vulnerabilities were discovered. Depending who discovered them, it could have been months or more. I brought it up to clarify that these aren't unpatched vulnerabilities.
I am definitely not complaining, but I wonder why Oracle continues work on VirtualBox at all?
When they acquired Sun, they seemed in a hurry to kill off all the other open source projects Sun had been running.
Do they use it as the basis for their cloud-infrastructure[1] or what? I do not see how VirtualBox generates any revenue for Oracle, and they have a reputation for being very ... focussed when it comes to revenue.
They have a closed-source "extension pack" with a bunch of quite useful and even necessary features (e.g. USB 2.0) so that could be their revenue source, but looking around it seems that others have been rather unsuccessful at actually trying to pay for it --- the response Oracle has given them is "you can use and redistribute it for free".
Huh. Next thing you know Microsoft is going to host all Windows and Office development on public github repos, IBM begins lobbying against software patents, and GNU/Hurd reaches 1.0... These are interesting times we live in for sure.
Patent Troll: Hi, I am a Patent Troll,
and I want to sue your ... company.
Halliburton: Look, Dame or Dude, you have three choices:
1. We have a patent on that.
You cannot sue us without a license.
Good bye!
2. We have a patent on that.
You cannot sue us without a license.
Licenses are $ 42 trillion.
*Per Lawyer*.
See you in court. Or not.
3. We buy your company, because we rule!
Patent Troll: *Head explodes*
-- The End --
A decent writer could make a sitcom out of this in no time. I already have a picture in my head -- it is like Night Court meets Psych! I wanna watch this on Netflix!!!
In past I wanted my employers to pay for VirtualBox commercial licences (to support the project and in some cases it was a requirement that all software used in development process is properly licensed) but I couldn't even find it anywhere as a product. Nowadays it is available[1] (not sure since when) but minimum number of licenses to purchase is 100.
Interesting. The minimum order quantity suggests that Oracle is not interested in small orders (and I'm almost willing to bet that if you asked to buy fewer than that for commercial use, the response would be "just use it for free".) $50/user is also quite low by Oracle standards... I guess they decided the legal fees involved in going after "small violations" are not worth the trouble.
I guess I'm going to have to switch to using KVM at work now if I to do things like USB device passthrough now. Shame too because setting up KVM networking is way more complicated than setting up VirtualBox networking.
On Linux, qemu/kvm works well enough for most purposes, on FreeBSD you have bhyve. OpenBSD's vmm is a thing, but I do not know if it can host other systems than OpenBSD, yet.
On Windows, there is Hyper-V. I have only very little experience with it, but in my short time, I did not encounter anything I would like to complain about. I am not sure, however, if it comes with the client editions of Windows. Microsoft Virtual PC still exists, too.
Xen is also a thing - run Dom0 as your desktop system, and run the VMs in the background.
None of this is perfect, but if you need them, there are alternatives.
There is no particular reason to expect that qemu has any greater security that vbox. All of these systems have a significant amount of very critical code; I particularly sceptical of the hardware emulation part.
AWS recently started moving from a custom Xen to a custom KVM, but it doesn't seem it was for security reasons. Xen certainly is heavily used by public cloud providers.
QEMU is huge, but you choose what parts to use. If you stick to the defaults, e.g. your VM has one or more virtio devices, a virtual USB3 controller and USB tablet, maybe an IDE/AHCI controller and an e1000 or rtl8139 NIC, it should be pretty okay.
Because of its use with KVM, QEMU has had its code scrutinized quite closely in the last few years. There are some device models that have a pretty bad track record, such as Cirrus VGA, but they are not the default anymore and there's no reason why you should use them.
I was going to recommend Bochs, which doesn't use virtualisation hardware at all and is instead an instruction-level emulator (much slower but should theoretically be more immune to hardware virtualisation bugs), but then there's this:
Judging by the descriptions, these VirtualBox bugs are all in the device emulation, host-to-guest communications framework and so on, so they would apply equally whether the VM was using virtualization hardware or instruction emulation. This isn't unique to VirtualBox's track record -- the 'attack surface' for a VM is almost entirely in the device models, where software bugs allow VM escapes. The hardware virtualization is much less likely to cause problems: CPU bugs are rare compared to software bugs. In fact I think a pure-emulation setup would be worse off, because there's a lot more potentially buggy software doing the emulation that the guest can try to exploit. If you don't see those in a CVE list it's because nobody's bothering to try to exploit whatever emulator you're using, or because the emulator doesn't promise guest isolation and doesn't track bugs as CVEs. Comparison of raw CVE counts is tricky and risks apples-to-oranges problems.
Compared to Xen and KVM, VirtualBox runs much larger parts of the device emulation in ring 0, together with the core CPU virtualization code, for performance.
This is particularly important when KVM is used with a special user (such as user "qemu") and SELinux, because then a bug in QEMU becomes extremely hard to turn into host root access. Libvirt takes care of configuring SELinux this way for you, when you use for example KVM on OpenStack.
There are VirtualBox alternatives, but the advantage of VirtualBox is your exported VM appliances may be imported to the same hypervisor on Windows, Mac, FreeBSD, Solaris, Illumos, and Linux.
VirtualBox also has a slicker UI compared with QEMU/KVM on linux & bhyve on FreeBSD/Mac & vmm on OpenBSD.
The alternatives all have their own merits, but if people are wondering why anyone would use VirtualBox, I believe the above reasons are why.
44 comments
[ 3.1 ms ] story [ 118 ms ] threadI run several VMs at the same time, occasionally one will freeze. I think it's just the video/display that freezes while the browser/whatever in the guest VM still operates normally.
"The vulnerabilities found in the core graphics framework (VBVA subcomponent) and affect all host operating systems."
Edit: The first sentence:
> Oracle has released patches for ten vulnerabilities in VirtualBox which allow attackers to break out of guest operating systems and attack the host operating system that VirtualBox runs on.
And at http://www.oracle.com/technetwork/security-advisory/cpujan20...
> Supported Versions Affected ... Prior to 5.1.32, Prior to 5.2.6
The current version being 5.2.6
https://www.virtualbox.org/wiki/Downloads
When they acquired Sun, they seemed in a hurry to kill off all the other open source projects Sun had been running.
Do they use it as the basis for their cloud-infrastructure[1] or what? I do not see how VirtualBox generates any revenue for Oracle, and they have a reputation for being very ... focussed when it comes to revenue.
[1] That seems pretty unlikely
https://www.npr.org/sections/money/2012/08/01/157743897/can-...
[1]: https://shop.oracle.com/apex/product?p1=OracleVMVirtualBoxEn...
However, even the extensions used to be free for "noncommercial use in a commercial environment" --- they silently changed the license relatively recently: https://forums.virtualbox.org/viewtopic.php?f=1&t=85092
I guess I'm going to have to switch to using KVM at work now if I to do things like USB device passthrough now. Shame too because setting up KVM networking is way more complicated than setting up VirtualBox networking.
Any other hypervisor. QEMU/KVM, Xen, VMWare, and Parallels all have good track records.
This skews the CVE stats significantly since the kernel developers (aka kvm) rarely actually request CVE ids.
On Windows, there is Hyper-V. I have only very little experience with it, but in my short time, I did not encounter anything I would like to complain about. I am not sure, however, if it comes with the client editions of Windows. Microsoft Virtual PC still exists, too.
Xen is also a thing - run Dom0 as your desktop system, and run the VMs in the background.
None of this is perfect, but if you need them, there are alternatives.
Not updated in almost 10 years, not supported on Windows 8 or 10.
It's in Windows 10 client editions too. Look under "Turn Windows features on or off". Windows Subsystem for Linux is there too.
AWS recently started moving from a custom Xen to a custom KVM, but it doesn't seem it was for security reasons. Xen certainly is heavily used by public cloud providers.
Because of its use with KVM, QEMU has had its code scrutinized quite closely in the last few years. There are some device models that have a pretty bad track record, such as Cirrus VGA, but they are not the default anymore and there's no reason why you should use them.
https://www.cvedetails.com/vulnerability-list/vendor_id-2505...
Better than this though:
https://www.cvedetails.com/vulnerability-list/vendor_id-93/p...
This is particularly important when KVM is used with a special user (such as user "qemu") and SELinux, because then a bug in QEMU becomes extremely hard to turn into host root access. Libvirt takes care of configuring SELinux this way for you, when you use for example KVM on OpenStack.
This also holds true for the alternatives.
VirtualBox also has a slicker UI compared with QEMU/KVM on linux & bhyve on FreeBSD/Mac & vmm on OpenBSD.
The alternatives all have their own merits, but if people are wondering why anyone would use VirtualBox, I believe the above reasons are why.