Article ID: 937986 - Last Review: September 30, 2011 - Revision: 3.0

MS07-049: Vulnerability in Virtual PC and Virtual Server that could allow privilege elevation

View products that this article applies to.

System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.

INTRODUCTION

Microsoft has released security bulletin MS07-049. The security bulletin contains all the relevant information about the security update. This information includes file manifest information and deployment options. To view the complete security bulletin, visit one of the following Microsoft Web sites:

Home users:
http://www.microsoft.com/protect/computer/updates/bulletins/200708 (http://www.microsoft.com/protect/computer/updates/bulletins/200708.mspx)
IT professionals:
http://www.microsoft.com/technet/security/bulletin/ms07-049.mspx (http://www.microsoft.com/technet/security/bulletin/ms07-049.mspx)

Back to the top

Known issues with this security update

If the you install the 64-bit version of update 937986 on a 32-bit operating system, the installation fails. This issue occurs because the Advpack.dll file experiences an error when creating the process for the update. You receive a warning dialog box that states that the update did not install.
When the update 937986 is applied on a remote machine by using Terminal Services, the update does not replace the vulnerable files if the /console option is not used. To avoid this issue, you must use the /console option as shown in this example:
mstsc /console /v:<machine name>
This update is not supported in Windows Vista. If your computer is running Windows Vista, we recommended that you use either Virtual PC 2007 or Virtual Server 2005 R2 SP1 depending on your requirements. Neither of these two applications has the vulnerability described in Microsoft Knowledge Base article 937986.
- Virtual PC is a free product. To download this product, visit the following Microsoft Web site:
  http://www.microsoft.com/windows/virtual-pc/default.aspx (http://www.microsoft.com/windows/virtual-pc/default.aspx)
- Virtual Server 2005 R2 SP1 is a free product. To download this product, visit the following Microsoft Web site: http://www.microsoft.com/windowsserversystem/virtualserver/downloads.aspx (http://www.microsoft.com/windowsserversystem/virtualserver/downloads.aspx)