I’ve just installed Ubuntu 10.4 under Sun Virtual Box. As I was playing and surfing the web with it, I started thinking that this could be a much safer way to surf, as what is happens on the virtual box stays on the virtual box, to paraphrase Tom Hanks. Question: is this really as safe as I think?
Probably not.
Don’t get me wrong, using a virtual machine (or “VM”) can add a very significant layer of security and safety, and can be an extremely useful approach to increasing both.
But it’s not a perfect solution, and if its limitations aren’t considered it can be quite dangerous simply by giving you a false sense of security in areas that it doesn’t really help.
The simplest way to think of a VM is as just another computer on your network.
Yes, that computer is “virtual”, in that it’s really just a program running within your existing computer. The thing is, that “virtual machine” does such a good job of looking and acting like a separate machine, that’s often the best way of thinking about it.
So, the huge advantage of a VM is that you can have another computer without needing the additional hardware. On that other (virtual) machine you can run another operating system, like say a Unix variant such as Ubuntu. Within that virtual machine you’re not running Windows, and thus are not vulnerable to Windows-based malware.
That’s pretty significant. On your Windows machine you can set up a protected environment running some other operating system that’s not vulnerable to the vast majority of malware today. Some have gone so far as to say that this is the way you should do online banking – in a non-Windows environment.
But before we think all our problems are solved, let’s look at some areas of concern that remain:
- social engineering – this is where you are the vulnerability. Responding to an email that demands your Hotmail account name and password – a phishing attempt – is “platform independent”. You can be taken by those types of schemes no matter what operating system you’re running, or where.
- network exploits – these are technical and currently rare, but for example, if your router gets hacked to redirect you to a fake banking site, your non-Windows OS won’t give you any advantages.
- browser exploits – “the browser is the new operating system” is something we’re starting to hear a little more often. What that means is that we do so much in our browser, and the browser provides so much functionality, that it’s pretty much an operating system unto itself. As a result, its vulnerabilities can often be targeted, once again regardless of underlying “real” operating system.
- file transfer – what happens in a VM stays in a VM except if you copy it out. Even if you do all your browsing in a non-Windows based VM, you’re likely to eventually download something that you’ll want to place on the underlying Windows machine. If that file is infected with a Windows-based exploit, not only will you be copying it over, but it’s possible that by first downloading in a non-Windows VM and then copying to Windows you might bypass one phase of your anti-malware software.
- network vulnerabilities – a VM is another machine, with its own virtual connection to your local area network. Depending on the VM technology and configuration that connection may or may not be protected by your underlying Windows security software. It’s also on the supposedly “safe side” of your router which is protecting you from internet-based network threats.
So, I’ll reiterate the thinking: treat it as if it was just another machine, and use all the security and safety steps that you would use setting up such a machine.
Don’t get me wrong – it’s an excellent approach to dealing with certain types of security issues. The primary advantage is that you can run a non-Windows operating system without having to purchase and manage another computer, and while still running Windows for other things that might require it. It can be cumbersome, and occasionally a little tricky to set up, but it can be quite valuable.
As long as you keep in mind what it does, and does not, protect you from.
If I run an OS using VM software, is the host operating system safe? For example, I want to test certain anti-virus software by purposely downloading viruses and seeing which ones get detected, stopped, etc. Do I need to worry that the host operating system will get hit as well?
I think you left off one of the greatest advantanges of a VM, the instant reset ability. Let’s say that you create a Windows VM and it gets infected, assuming you set it up correctly beforehand, you can easily roll the VM back to an earlier point (no this is not windows restore points) and the virus, and all other changes will be gone. Something like this can be great for your younger children. You allow them to log into the VM, and when they are done, you just discard all changes. Of course, for most of us, this would not be a desired effect, since we like to keep our favorites, and other things we download from the internet.
@Josh,
It would depend on your VM solution, but in general, no you don’t have to worry about the local host unless you setup share connections between the host and the VM. As long as the VM remains isolated, you should be OK.
PS, don’t forget that Leo’s comment about using all the usual security steps for your VM means, specifically, that the VM needs all its software patched as needed (OS, browser, productivity software– everything) and it needs its own malware/virus protection. Updating/patching on the underlying OS won’t “propagate” to the VM; you have to do it separately.