Microsoft has yet to fix a serious security a flaw in its Virtual PC hypervisor that was reported to it last year, according to researchers.
Core Security Technologies claimed to have discovered a vulnerability in the software that could lead to system infiltrations and reported it to Microsoft back in August 2009.
Although the software giant claimed it would address the problem in future updates, it appears to have been left to fester.
Today the US security firm has released a statement saying the affected versions of the product contained a vulnerability allowing attackers to bypass security mechanisms in place on the Windows operating system, enabling them to take over the machine.
There is also a risk that a certain type of common software bug could also be exploited through this opening.
Affected versions include Microsoft Virtual PC 2007, Virtual PC 2007 SP1, Windows Virtual PC and Microsoft Virtual Server 2005. On Windows 7 the XP Mode feature is also affected however Hyper-V has been said to be secure.
"Virtualisation is an area that offers tremendous promise to the entire computing world, but it must be remembered that the technologies that enable this process may also introduce potential risks that previously didn't exist," said Ivan Arce, chief technology officer of Core Security Technologies, in a statement.
"This particular case provides a good example of how mechanisms designed to improve an operating system's security over many years can eventually become ineffective when some of the basic underlying aspects of their operation are changed by virtualisation technology."
The security company has advised users to run mission critical Windows applications on alternative virtualisation technologies or raw hardware, else ensure Virtual PC technologies are kept at the highest patch level possible and closely monitored.
We contacted Microsoft for comment on the flaw but it had not returned our request at the time of publication.
