A bug in Microsoft's software gives hackers a way to exploit virtual Windows machines which would be attack-proof if they were running on real hardware, a researcher said.

The flaw is in some of Microsoft's virtualisation software, including Windows XP Mode, the free add-on for Windows 7 that lets users of the newer OS run older applications in a virtual machine.

Core Security went public with information about the flaw yesterday, seven months after reporting the problem, because Microsoft declined to patch it. "They don't believe this requires a patch," Ivan Arce, CTO of Core Security, said in an interview today. "They said that they would address it with an update or in a service pack some time in the future. We believe this needs to be fixed sooner."

Microsoft confirmed that it doesn't consider the bug in Virtual PC, Virtual PC 2007 and Virtual Server 2005 a security hole. "The functionality that Core calls out is not an actual vulnerability per se," said Paul Cooke, a director for Microsoft who manages enterprise security technology in Windows group. "Instead, they are describing a way for an attacker to more easily exploit security vulnerabilities that must already be present on the system," he continued. "It's a subtle point, but one that folks should really understand."

Core and Microsoft don't disagree on the facts, said Arce.

The flaw makes it possible for hackers to bypass several major Windows security defenses, including DEP (data execution prevention) and ASRL (address space layout randomisation), that are designed to deflect some types of attacks against Windows XP, Vista and Windows 7.

But the two companies don't see eye-to-eye on the need for a patch. "We don't agree with Microsoft's decision not to patch," said Arce. "Applications in a virtualised environment are more easily exploitable than if they were running on real hardware. This should be fixed."

Hackers could exploit the flaw to attack virtualised copies of Windows that normally would be immune to attack, or at the least, much more difficult to attack, because of mechanisms like DEP and ASLR, Arce said. And the bug could make vulnerabilities once thought trivial, and not worth the trouble to patch, worthy of exploitation. "In light of this bug, vulnerabilities believed to not apply to the virtualised OS and that were dismissed as not exploitable, may, in fact, be exploitable," Arce added.

Arce acknowledged that by publishing its lengthy advisory, which includes proof-of-concept attack code, Core was pressuring Microsoft to patch. "We understand that it may be difficult to fix, but this puts pressure on them to do something about it sooner rather than later," he said.