Virtualization users should expect more attacks

Hackers are increasingly focusing their attention on virtualized environments.

VMware's recent release of a large number of patches for its virtualization offerings is likely to be the first of many, as hackers increasingly focus their attention on virtualized environments.

That is according to security vendor, Fortify Software, which is urging caution among those companies looking to adopt virtualization technology.

Last week, the virtualization market leader VMware warned of at least 16 vulnerabilities concerning VMware ACE, VMware Server, VMware ESX, VMware Workstation and VMware Player. The advisory also included links to a number of patches.

The US Computer Emergency Readiness Team (US-CERT) meanwhile said these vulnerabilities could allow hackers to execute arbitrary code, cause a denial-of-service condition, access the system with elevated privileges, or obtain sensitive information.

"With the dramatic fall in processor prices over the last 12 months and the amplifying effects of the credit crunch, many companies are reviewing their IT resources and concluding that virtual servers are a highly cost-effective and business-efficient way to go," said Rob Rachwald, Fortify's director of product marketing.

"A typical major business may find that VMware gives them access to, say, 16 virtual servers when they only have 12 physical servers. This is a real cost-saver and also allows companies to start taking out more innovative software licences as well," he added.

According to Rachwald, this is why so many major organizations were going down the virtual server route.

But he warns the problem comes about because many conventional IT security applications do not fully protect virtual server users.

"It's a whole new security ballgame, which is why we urge anyone contemplating migrating over to the benefits of a virtual server system to review their IT security systems," said Rachwald. "It's also one of the reasons why we predict that virtual server patches will become commonplace in the months ahead," he explained.

Meanwhile, another security vendor admits it has not yet seen any specific attacks on virtualized announcements, but nevertheless feels that an attack may not be far off as some people think. "People are looking at virtualization for sorts of reasons, but to the best of my knowledge, we have not seen any wholesale attack on virtualized environments to date," said David Emm, senior technology consultant at Kaspersky Lab.

"That said, any commonly used system does become a juicy target for these guys," he told Techworld. "For example, it used to be said that Internet Explorer was less secure than Firefox, but as more and more people use Firefox, we are seeing more and more Firefox vulnerabilities. The same will be true for virtualized environments."