Filed under: Mac OS X
, Security
, Virtualization
| It sounds obvious that Parallels users who run Windows need to keep on top of Windows security and patches. However, a recent addition to the Parallels Beta, called Global Sharing, can open up OS X itself to possible attacks from the Windows side. | |
The basic issue is that this Global Sharing option, which allows easy drag-and-drop app launching between OS X and Windows, is given carte blanche access to your Mac hard drive. Worse yet, this option is enabled by default, at least in beta build 3150 which I am currently running. Users upgrading from a previous version, to get awesome features like Coherence Mode, booting from Boot Camp partitions, and full USB support, may be vulnerable without even realizing this feature was slipped in.
The basic problem boils down to privilege separation. Parallels runs with the full rights of your OS X user, so in theory an attack could be developed and spread via Windows vulnerabilities that could then drop malicious code into OS X. It could also delete files or alter security and other settings.
Allowing Windows, known to be so insecure, to have this sort of access rights to the host operating system is a major misstep by the Parallels team. So if you run Parallels betas, please make sure you disable this feature (Edit -> Virtual Machine -> Shared Folders then uncheck the "Enable global sharing for drag-and-drop" checkbox and save. You'll need to shut down the virtual machine to have access to change this setting.
Consider the clever Windows hacker that uses this security hole to upload a complete Parallels vm to your system. One that replaces your own or just sits there waiting for you to start it. The possibilities are endless.
Fortunately this feature has been disabled by default with the latest release candidate from Parallels.
Posted by: dkp at February 16, 2007 12:09 PM
Thanks for the comment. Glad to see they've disabled it by default in the RC3 release.
Hopefully Parallels gives a meaningful warning message about the implications in the popup it displays when you first try to do a drag-and-drop. I'll have to upgrade my Parallels installation to see if that's the case.
Posted by:
Kevin Railsback at February 16, 2007 04:47 PM
Subscribe
NEWS 
E-mail This
Print This
