Microsoft released a security hotfix for Hyper-V last night. They describe it as:
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker runs a specially crafted application that could cause Windows Hyper-V to incorrectly apply access control list (ACL) configuration settings. Customers who have not enabled the Hyper-V role are not affected.
This security update is rated Important for all supported editions of Windows 8.1 for x64-based Systems, Windows Server 2012 R2, and Windows 10 for x64-based Systems. For more information, see the Affected Software section.
The security update addresses the vulnerability by correcting how Hyper-V applies ACL configuration settings. For more information about the vulnerability, see the Vulnerability Information section.
KB3091287 does go into any more detail.
CVE-2015-2534 simply says:
Hyper-V in Microsoft Windows 8.1, Windows Server 2012 R2, and Windows 10 improperly processes ACL settings, which allows local users to bypass intended network-traffic restrictions via a crafted application, aka “Hyper-V Security Feature Bypass Vulnerability.”
Affected OSs are:
- Windows 10
- Windows 8.1
- Windows Server 2012 R2
No Windows 8 or WS2012 – that makes me wonder if this is something to do with Extended Port ACLs.
Credit: Patrick Lownds (MVP) for tweeting the link.
And yet they still refuse to fix the issue that Hyper-V service can not be installed on windows 10 pro RTM with latest updates, or insiders build 105xx