"The just-patched critical vulnerability in widely used virtualization
software is an ideal exploitation target for state-sponsored spies and
criminals alike fishing for passwords, cryptography keys, or bitcoins,
a researcher who has dissected one of the fixes said.
The bug, which is known to affect the Xen, KVM, and native QEMU
virtual machine platforms and appliances, makes it possible for
attackers to break out of protected guest environments and take full
control of the operating system hosting them, security researchers
warned Wednesday. In the hours following Wednesday morning's
disclosure of the vulnerability, many security professionals have
publicly said its severity is being exaggerated. The critics have
rightly pointed out that it can't be remotely exploited and can't be
exploited on large numbers of machines in a single stroke, as is the
case with most serious security bugs."
Peter Reutemann, Dept. of Computer Science, University of Waikato, NZ
Ph. +64 (7) 858-5174