USB Virtual PC’s

I was browsing the news this morning, and ran across an article - Virtual PCs add new layer of security. They claim:

MojoPac virtual PCs are not just designed for mobile use. They can protect users who share the same computer. A virus introduced by one user into their MojoPac, or virtual computer, would not affect the rest, according to RingCube.

"If you were to corrupt your virtual world, your host PC would be fine," says RingCube Senior Vice President Ron DiBiase.

Please note that the following comments aren't aimed at any one implementation of this approach – and it is an interesting approach – but more at the overall issue of USB (in)security. I can buy that once you get the virtualized environment booted, then any sort of nasty app you might be unfortunate enough to run would then scribble on your USB drive, and not the host system. What I can't get around is the fact that USB was created without much thought to security. They carry around their own drivers. They're usually on a FAT file format, and thus have no protection from the host system. So the USB drive can attack the host when it's inserted, and the host can attack the USB drive. This is exactly the problem we used to have with floppies and boot sector viruses back in the bad old days.

I'm not pointing out anything new – numerous people have pointed out the flaws in USB drives (firewire is worse – direct memory access) for several years. I can see where this technology adds convenience, and some privacy (assuming the host isn't just spying on them and logging everything that happens), but I don't see it adding security – I see it bringing back an old virus vector. If someone were to write malware targeted at this environment, it could spread very quickly. I wouldn't feel any safer logging into a kiosk with one of these – it might be a reasonable way to keep your personal stuff off your work system, but then I have some trust in the host, and I know where all the USB devices plugged into that system have been.