Network News

X My Profile
View More Activity

Perils in Parallels?

Earlier this week Security Fix managed to install a new copy of Microsoft's Windows Vista Ultimate on top of Apple's Mac OS X operating system running on a Macbook Pro. I did this using Parallels, a powerful "virtual machine" program that lets users run two or more operating systems side by side at the same time.

When I went to behold the Frankenstein I'd created, I literally gasped when I realized that Vista now had complete access to read, write, or destroy files on my Mac's hard drive. The guest operating system -- in this case Vista -- has almost full run of the data on the underlying hard drive (the critical system files appear to be guarded). I later found a rather longish thread about this feature at the Parallels user forum.


(Screenshot by Brian Krebs)

In everything else, Parallels strikes me as an extremely powerful, elegant and useful application. But the Parallels people should change the default behavior of the software to disallow the sharing of directories between the operating systems by default. There may be more dangerous implications of this design: I am still in the process of monkeying around with different scenarios.

I found the whole situation to be rather ironic. After all, virtual machines, such as VMware, have been very popular among virus researchers because they typically were used to protect people from threats, not introduce new ones. Security researchers have long used virtual machines to execute malicious software in a controlled environment that can be reset back to its previous, pristine state with the push of a button.

In response, a number of online threats will check to see if they're being run in VMware or some other kind of virtual environment. If the answer is yes, those viruses or worms generally refuse to run, in an effort to escape analysis and live longer, undetected, in the wild.

This scenario with Parallels presents the opposite threat: Virus writers could, by default, simply begin to tell their creations to check whether they are being run in a Parallels virtual machine, and if so run some basic checks to see which operating system the host machine is running, and then drop appropriate malicious code in key places on the host system.

Such a scenario may sound far-fetched, but the reality is that if you can dream it up, the bad guys online are probably already doing it. Here's hoping the good folks at Parallels fix this feature in their next release.

It's worth noting that this sharing of files, directories, etc., between the host and guest operating system(s) also is quite possible on VMware products as well, except that the default setting on VMware is not to let the guest operating system have read, write and delete privileges pretty much anywhere on the host OS.

To disable this functionality, close out of the guest operating system, and in Parallels Desktop click on "edit." From there, click on "Shared Folders" and uncheck the box next to the option "Enable global sharing for drag-and-drop." You can then add any specific folders that you'd still like to share from that menu.

By Brian Krebs  |  February 10, 2007; 3:30 PM ET
Categories:  From the Bunker , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Cell Phones: The New Phish Food
Next: Paypal Sells Anti-Fraud Token

Comments

Yes they should have that option removed completly or at least turned off by default with a big red flashing sign warning you ten times before you turn it on

Posted by: shane blyth | February 10, 2007 4:23 PM | Report abuse

Parallels is not free. Notice the big $79.00 price and Buy Now button on the page? Are you advocating that folks not pay for the software?

Posted by: geodude | February 10, 2007 4:26 PM | Report abuse

Geodude -- There is a pay version and a widely used free beta version. This article is talking about the latest free version.

Posted by: Bk | February 10, 2007 5:36 PM | Report abuse

So out of the 5% of computer users that use Macs (we'll discount those crazy OS9 users), and out of those probably less than a quarter have intel Macs. So we're at 1.25% of computer users. Let's assume half of all intel users are planning of using Parallels. That brings up down to .64% of computer users. Now out of that universe, perhaps half are using Visata .. so we're looking at the potential exposure to .3 % of computer users that may be exposed. I'm sure lots of bad people are planning to attack those Macs -- and I thought Vista was supposed to have some better protections.

Posted by: Charlie | February 10, 2007 5:36 PM | Report abuse

It's a 30-day free trial, even for beta. It's not free software.

Posted by: geodude | February 10, 2007 6:09 PM | Report abuse

Charlie,
This vulnerability is not limited to those using Vista as a guest operating system; Rob's point is that the guest system can write to the host system's partitions without the user realizing it. I just did a quick check myself (I am running Parallels with XP as guest) and it appears that the guest OS writes to the filesystem as the user not as root, so there are limits to what can be touched (e.g. I could write a file to /tmp but not to /etc and the resulting file was owned by me, not root).

This is a potential exploit, but I don't know if I would classify it as highly vulnerable - just my 2 cents...

Posted by: db | February 10, 2007 7:20 PM | Report abuse

Actually, considering Vista -- it's already had it's first virus long ago in the alpha/beta stages. And it's pretty much open to attack now. It's not perfect. Nothing microsoft makes is. However, it should be noted that when you run a piece of software like Parallels, 30 day version or not -- you are essentially giving yourself the same heartburn anyone else has when that OS it's designed for is in use. If someone's concerned, make sure you install ClamAV for Windows, and in turn ClamAV for the mac or one of the other great free antiviral solutions out there, and one that can and will operate on both sides of the fence. I think you'll be pretty safe. Much safer than you'll be running Norton on one side at any rate.

Posted by: Amphetameme | February 10, 2007 7:56 PM | Report abuse

The combination of Mac OS X, Windows Vista and Parallels looks like a good way of running a high risk environment. The peril of this particular column is, I think, that an average Washington Post reader might think this is something a sane person should even attempt. When I see the title "Security Fix" I tend to think I'll see advice for computer users - this is advice for hackers.

Posted by: Menno Aartsen | February 10, 2007 8:42 PM | Report abuse

Charlie: This has nothing to do with Vista/Parallels... It has to do with Parallels on it's own, this condition will occur regardless of the guest operating system... To attempt to blame this on Vista is fairly pathetic.

Amphetameme: How will a user be better running ClamAV over say Norton? At the very least NAV provides on-access scanning... meaning when the user downloads a file or reads a file NAV will scan it. ClamWin (ClamAV for Windows) doesn't currently support on-access scanning and is on-demand only. Should a user run ClamWin, they would be sitting there thinking they are protected, yet ClamWin wouldn't be doing anything until asked to.

Also, AV is only as accurate as the signatures it currently has... meaning a new virus could easily get past... Especially if the VM isn't booted regularly and doesn't update it's AV as soon as it is booted.

This is a security risk and it is something that should be addressed. A "default off" state would be the preferred solution.

http://www.computerdefense.org/?p=256

Posted by: Tyler Reguly | February 10, 2007 11:33 PM | Report abuse

Parallels is not free.

Posted by: Tom Saxton | February 10, 2007 11:34 PM | Report abuse

The only way that Vista has access to the host OS is if folder sharing is enabled and the user intentionally shares the OX X directory structure.

I agree that perhaps Parallels should have a warning to the effect that malicious Windows code can have a dangerous impact on your Mac, but to shift the blame from Windows insecurity to the makers of third party software such as Parallels is a tad sneaky.

Besides, any Mac user worth his salt knows that running Windows on a Mac is a risky proposition at best!

For those of you who do not know, this linked post shows the dialogs Parallels users see when they enable folder sharing:
http://babygotmac.com/a/159

Posted by: BabyGotMac.com | February 11, 2007 12:48 AM | Report abuse


As a participant in the referenced thread and principle detractor of this capability, I assure that the risk is real. Probable is quite another thing. That's the way meteroids work too. You're never bothered by the ones that don't land on you.

Read the thread - particularly toward the end. Skip over the bloviating, sorry about that, and read what is possible.

Posted by: dkp | February 11, 2007 1:33 AM | Report abuse

I am an early adopter of Parallels and it has been excellent value -- the betas are free to me.

A windows VM is a windows machine and has to be carefully managed like any other WIinXP Sp2 machine

(Don't touch Vista for one year as an update until Sp1 at least - if you remember Windows SE - new Vista machines OK)


Anti-virus
Anti-spyware
Firewall
Parental controls to block unsuitable content
Anti-spam e-mail protection

my own Blog http://mac-on-intel.blogspot.com/ has little to say because it all works so well

Hugh W

Posted by: Hugh Watkins | February 11, 2007 9:29 AM | Report abuse

@Charlie:

That .3 % could include you. And if you got hit you'd wail enough for the whole 5%. Sooner or later you have to take your head out of the sand - and when you do you can find the world hasn't improved much and those black hats are closer than ever and even breathing down your ostrich neck.

A security gaffe is a security gaffe - period.

Posted by: Rick | February 11, 2007 12:51 PM | Report abuse

tyler:

My point is twofold:

1) If Macs are protected through "security by obscurity", then the one third of one percent of computer users that use Intel Macs and Vista are really, really obscure. I suspect you are trying to say that it is not just Vista, it is any Mac user that has Parallels running. By my table napkin count, that is still less than 2/3 of one percent of all computer users that may be exposed. If you are bad guy, why even bother targeting such a small group?

2) My point about Vista being more secure is not to attack Vista, which has fairly good security. It goes to show what a stupid post this is -- the people who should not be worried are the intel mac users running a VM with Vista, but the universe of Intel Mac users running Windows 2000 or XP in Parallels.

Makes you wonder why Krebster is even being paid for this useless posting.....

Posted by: Charlie | February 11, 2007 12:56 PM | Report abuse

@dkp:

Well done!

Posted by: Rick | February 11, 2007 1:02 PM | Report abuse

Well, that must be on the BETA, RC like the latest "Parallels Desktop for Mac Release Candidate 2 (Build 3150)" or similar, because the current stable and retail Parallels Desktop 2.2.1970 does not have such "Enable global sharing for drag-and-drop" option at all.

Posted by: WasPoX | February 11, 2007 1:24 PM | Report abuse

Great article!

Suggestion: could we have a "Print" option on these pages to print/save for reference without ads?

Thanks!

Posted by: Peter | February 11, 2007 1:46 PM | Report abuse

i can see reasons for running it but why bother to use it for internet at all? its just as easy to use safari or mac firefox whilst ri=unning a virtual machine

Posted by: andy | February 11, 2007 2:29 PM | Report abuse

Running a default Windows installation in Parallels, this is the situation:

A well constructed Windows virus can:

- copy your virtual machines to a remote site where they will be installable and executable on the thief's system. The perfect crime - you won't even know it's happened.
- delete your home directory and all its contents, including itself
- install a wicked vicious binary or Perl script on your OS X hard drive, modify your OS X shell rc/profile script so that the wicked vicious tool will be launched the next time a command line window is opened.
- harvest most everything on your hard disk, limited only by what your user account is prohibited from seeing.

At this point a clever Clint Eastwood quote seems appropriate "Feeling lucky...?"

Posted by: dkp | February 11, 2007 3:41 PM | Report abuse

The real problem is not GFS, it's that Parallels is not running with minimum necessary privilege. It is basically unacceptable from a security point of view that any component of Parallels that provides a mechanism for a Windows application to "see outside" the virtual machine should run with "root" privilege. A background process that serves as a file system proxy and runs with no more than normal user privileges should be performing the accesses.

Posted by: Peter da Silva | February 12, 2007 9:27 AM | Report abuse

Readers may find it interesting that the default Linux setting allows zero shared folders.

Since Linux and Windows can both do file sharing over CIFS (and I bet there's some way for Windows to do NFS as well), you could set up your network in such a way that would allow slightly safer sharing than direct file system methods.

Buuuut, as an ex-security researcher myself, I need to point out that, VM or not, anytime you run ANY executable code on your machine, you put your machine at risk.

Java was regarded as having better security because it ran inside a virtual machine, but numerous implementation flaws have allowed Java code to escape the boundaries and impact the host machine.

Running a VM like VMWare or Parallels is no different. The security is only as good as the underlying software and its configuration (and I suppose the host OS in some cases). Setting the shared folders to zero should not give anyone the illusion that no program inside the VM will ever be able to do anything to their host Mac.

That being said, you should set it to zero. We know burglars can break into our homes by smashing a window, but we still lock our doors. Security is like poker - something always beats nothing.

Posted by: Eric Uner | February 12, 2007 10:23 AM | Report abuse

The Mac comments seem to generate from folks that neither read nor think, Macs now comprise about 12% of the market and almost 25% of traditional student market. Thinking Vista will be any better than any other Microsoft crap is silly, Microsoft hasn't had an original idea since the first version f office, and even that was taken from others. What we really need is some serious work on Open Office so we can finally rid ourselvs of Microsoft.

Posted by: CD | February 12, 2007 10:56 AM | Report abuse

I installed Parallels last summer on my MAC BookPro. I've been a Windoze user since 3.2. Install went fine and I assumed I'd be switching back and forth between the two OSs. Guess what? I've never found the need to install any Windoze software! I'm happy in the MAC world so I could care less if VISTA will install or has security issues. Not going there.

Posted by: Dennis | February 12, 2007 11:36 AM | Report abuse

Charlie,
I think that this subject area is not as much of a niche as you suggest. It is one area that could show fantastic growth, much to the chagrin of the PC manufacturers. A lot of people really want MACs, but want the option to run Windows for work requirements. So whether they use BootCamp, Parallels or other VM ware, we could see relatively fast market share growth from Intel based MACs. As long as Microsoft can keep selling their software, even they don't have much to lose from this.

Posted by: OhioMC | February 12, 2007 1:52 PM | Report abuse

OhioMC -- my point is not about the popularity of Macs -- I have no doubt it will only grow. However, regardless of the eventual growth of the Mac market share, the population of Intel Mac users running an active VM system is going to be much much much smaller than the MS established base. The risk of hackers writing Trojans to target that small base is even lower -- because they are far more attractive targets.


Assume 25% of US computer users run a Mac -- which is an unreasonably large assumption. Since those will mostly be new buyers, let's then assume that 80% of them are Intel Mac users. Since in your model most new buyers are using them to run a VM windows, let's further assume 75% of the Mac users are using a Windows VM solution. (these numbers are high). Therefore 15% of ALL computers users in the US might be using a Intel Mac with a VM running.

I'd admit that 15% of computers users in the US is an attractive target. You'd want to reduce those numbers a bit since many of them will not be running the VM fulltime -- they'll be booting up the VM for specific applications -- and a VM users is still likely to use Mac programs for web and email (less so for email than web) which are your usual vectors of infections. So let's take that down to 10% of computer users in the US may be exposed.

Is that a danger level -- yes -- but it is still more worthwhile to go after Windows 2000 or XP machines, which would still be much larger chunks of the US market. And hackers target machines worldwide, where nobody is prediciting Apple will get close to a 25% worldwide market share.

Posted by: Charlie | February 13, 2007 3:30 PM | Report abuse

So what's your point Charlie? The article is about a stupid security default setting that has could expose Mac users to Windows-like problems. But you would rather we just didn't talk about these things at all, is that it?

Tell me something, does Apple's vast PR machine pay you by the word, or by the post?

Posted by: Chucky | February 13, 2007 7:07 PM | Report abuse

There's a fundemental error in this article. The "Global Desktop Sharing" option respects the *NIX file permissions on the host operating system. Normal (ie, non-root) users can *read* most of the filesystem, but cannot write, update, or delete. What does this mean in English? Windows running in a Virtual Machine under Parallels with this feature enabled can view almost anything on the system, but can only modify stuff that the currently logged in user has permissions for, typically their $HOME directory (/Users/whatever) and some other publicly writable directories (eg, /tmp).

Parallels runs as a normal user process, NOT as root.

This is still plenty scary from my perspective - spyware running in a Windows VM could potentially access personal information on my machine.

The "global desktop sharing" option is enabled by default; a user should have to turn this "feature" on if they want to use it.

You might want to do a better job of fact-checking your articles before submitting them.

Posted by: problemChild | February 13, 2007 8:22 PM | Report abuse

problemChild - I think the confusion is that the vm has a read/write mount at the root level of the Mac disk. The term 'root' is a bit overloaded and I've been advised by readers that the wording is confusing. The vm access is to the root of the Mac drive but with user level permissions. Dog forbid that user should be the admin user because that is equivalent to root, but also a rare situation.

The problem is real enough, though. Clever tools can hide exploitive code in /var/tmp and other user writable areas that are alian to many Mac users unfamiliar with Unix. And while it's true that Windows cannot execute code on the Mac it can plant lines of code in the user's shell profile that will launch anything the user has access to the next time that user runs a shell command. It would not take a lot of code to write a cute little tk/tcl gui app that asks the user for the admin password, for example. You are quite right that this is not a healthy default.

Posted by: dkp | February 13, 2007 11:03 PM | Report abuse

my point, Chucky, is that this is a problem that a very small percentage of computer users have to deal with, and it is unlikely that hackers will write attacks to go after the .3 to 1% of computer users affected. I'd rather read about some real security problems on the Mac and other platforms.

Posted by: Charlie | February 14, 2007 11:56 AM | Report abuse

The latest beta version (build 3170) of Parallels now has this feature turned off by default:
http://www.parallels.com/products/desktop/beta_testing/

Posted by: JCM | February 16, 2007 12:03 PM | Report abuse

Parallels is designed for ease of use. It is designed for people who don't understand virtualization, they understand they need to run windows applications. At the same time, they need to be able to access their documents from both platforms. A virus on windows will not affect anything other then common documents. There is no registry to hack on Mac OSX. Word documents etc are vulnerable, but you should be running some anti-virus.

Posted by: Bradford Knowlton | February 18, 2007 4:45 PM | Report abuse

Parallels is designed for ease of use. It is designed for people who don't understand virtualization, they understand they need to run windows applications. At the same time, they need to be able to access their documents from both platforms. A virus on windows will not affect anything other then common documents. There is no registry to hack on Mac OSX. Word documents etc are vulnerable, but you should be running some anti-virus.

Posted by: Bradford Knowlton | February 18, 2007 5:12 PM | Report abuse

Bradford - you underestimate the possibilities. A Windows virus can upload a new and dangerous Parallels virtual machine to your OS X home directory, for example. There are a number of ways to launch it once it's in place. It doesn't have to be a Windows VM - it can be any operating system Parallels can run, and it doen't have to play nice once it starts. Virtual machines change the game - especially those "VM Appliances" that require only an appliance player to run a vm. How long until someone creates a portable spambot, pornbot, or BitTorrent appliance?

Posted by: dkp | February 27, 2007 12:02 PM | Report abuse

I think dkp saved that company. I'm not exaggerating.

Posted by: peeder | February 27, 2007 9:08 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company