<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">This just hit Slashdot:  "<span style="color:rgb(54,54,54);font-family:Arial,sans-serif;font-size:13px">According to a text file uploaded on GitHub, Saint Petersburg-based researcher Sergey Zelenyuk has found a chain of bugs t</span>hat can allow malicious code to escape the VirtualBox virtual machine (the guest OS) and execute on <span style="color:rgb(54,54,54);font-family:Arial,sans-serif;font-size:13px">the underlying (host) operating system."</span><div><font color="#363636" face="Arial, sans-serif"><br></font></div><div><font color="#363636" face="Arial, sans-serif">One example article:  </font><span style="color:rgb(54,54,54);font-family:Arial,sans-serif"><a href="https://www.zdnet.com/article/virtualbox-zero-day-published-by-disgruntled-researcher/">https://www.zdnet.com/article/virtualbox-zero-day-published-by-disgruntled-researcher/</a></span></div><div><font color="#363636" face="Arial, sans-serif"><br></font></div><div><font color="#363636" face="Arial, sans-serif">Slashdot:  <a href="https://developers.slashdot.org/story/18/11/10/1739206/disgruntled-security-researcher-publishes-major-virtualbox-0-day-exploit">https://developers.slashdot.org/story/18/11/10/1739206/disgruntled-security-researcher-publishes-major-virtualbox-0-day-exploit</a></font></div><div><font color="#363636" face="Arial, sans-serif"><br></font></div><div><font color="#363636" face="Arial, sans-serif">His github repo has the technical details.  He shows how you can create a console shell to start on the host by using a buffer overrun in the guest:  </font><span style="color:rgb(54,54,54);font-family:Arial,sans-serif"><a href="https://github.com/MorteNoir1/virtualbox_e1000_0day">https://github.com/MorteNoir1/virtualbox_e1000_0day</a></span></div><div><font color="#363636" face="Arial, sans-serif"><br></font></div><div><font color="#363636" face="Arial, sans-serif">The "disgruntled security researcher" part is difficult to read and understand due to broken English.  More info is available on his github page.</font></div><div><br></div><div><div><div>Stéphane</div><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><table border="0" cellpadding="0" cellspacing="0">
    <tbody>
        <tr>
            <td align="left" valign="bottom" width="107" style="line-height:0;vertical-align:bottom;padding-right:10px;padding-top:20px;padding-bottom:20px">
                <a href="https://about.me/stephane.charette?promo=email_sig&utm_source=product&utm_medium=email_sig&utm_campaign=gmail_api&utm_content=thumb" style="text-decoration:none" target="_blank">
                    <img src="https://thumbs.about.me/thumbnail/users/s/t/e/stephane.charette_emailsig.jpg?_1526512512_975" alt="" width="105" height="70" style="margin: 0px; padding: 0px; display: block; border: 1px solid rgb(238, 238, 238);">
                </a>
            </td>
            <td align="left" valign="bottom" style="line-height:1.1;vertical-align:bottom;padding-top:20px;padding-bottom:20px">
                <img src="https://about.me/t/sig?u=stephane.charette" width="1" height="1" style="border: 0px; margin: 0px; padding: 0px; overflow: hidden;">
                <div style="font-size:18px;font-weight:bold;color:rgb(51,51,51);font-family:"Proxima Nova",Helvetica,Arial,sans-serif">Stéphane Charette</div>
                <a href="https://about.me/stephane.charette?promo=email_sig&utm_source=product&utm_medium=email_sig&utm_campaign=gmail_api&utm_content=thumb" style="text-decoration:none;font-size:12px;color:rgb(43,130,173);font-family:"Proxima Nova",Helvetica,Arial,sans-serif" target="_blank">about.me/stephane.charette
                </a>
            </td>
        </tr>
    </tbody>
</table>
</div></div></div></div></div></div></div>