Big security risk with global sharing

1 | 2 | 3 | 4 | 5 | > Last »

01-24-2007, 11:21 AM #1
goron Junior Member Join: Apr 2006 Posts: 13	Big security risk with global sharing In Parallels Desktop 3120, there is an option (on by default) to "enable global sharing for drag-and-drop." Whilst this is a nice feature, it seems to be implemented by having a semi-hidden (ie, not in the list) shared folder called ".Mac". This folder gives read/write access to the entire Mac boot drive :eek: Given the amount of viruses and other malware on Windows, the last thing I want is the virtual XP having full read/write access to my Mac! This feature should be turned off by default and a big warning shown before turning it on.

01-24-2007, 11:21 AM

goron
Junior Member

Join: Apr 2006
Posts: 13

Big security risk with global sharing

In Parallels Desktop 3120, there is an option (on by default) to "enable global sharing for drag-and-drop."

Whilst this is a nice feature, it seems to be implemented by having a semi-hidden (ie, not in the list) shared folder called ".Mac".

This folder gives read/write access to the entire Mac boot drive :eek:

Given the amount of viruses and other malware on Windows, the last thing I want is the virtual XP having full read/write access to my Mac!

This feature should be turned off by default and a big warning shown before turning it on.

01-24-2007, 12:28 PM #2
ATXP Member Join: Dec 2006 Posts: 64	Agreed. Should have been turned off by default. I asked this question when RC1 came out but no one gave me the right answer. Then I have to figure all this out by poking around the configuration.

01-24-2007, 12:33 PM #3
dkp Senior Member Join: May 2006 Posts: 1,416	This has been discussed and solved for RC1. Search the recent archives. The solution is to disable global sharing and to scream like hell to the beta@parallels.com mailbox to turn this crap off.

01-24-2007, 01:07 PM #4
DerekS Member Join: Sep 2006 Posts: 61	Couldn't agree more, this feature is extremely dangerous and I won't use it. The only benefit it brings, as far as I can tell, is that you get WinXP progress dialogs for file copies in/out of the VM as oppposed to MacOS progress dialogs in the Parallels window.

01-25-2007, 11:18 AM #5
Stitch Junior Member Join: Jan 2007 Posts: 3	Thanks for bringing this to attention! Someone could design a virus to ravage OS X for parralels users. That would quite easily put off a lot of potential buyers eh...

01-25-2007, 12:15 PM #6
neosublime Member Join: May 2006 Posts: 62	OK... TOO MUCH. You people are as bad as cnn with it's, "be afraid of cookies", and it's, "better have a firewall", scare tatitics. Granted it mat be a posibility some day for some sort of security risk, but if any of you can go into \\.PSF\.Mac\private and create, or delete files and folders, let me know. I thought right away that this was a major mistake on the part of Paralles Team, but it seems to be pretty safe by me. It's the same as if you were to map your home folder to your drive. Yes anything that you have read and write access to may be at risk, but isn't that the "World of Windows" for you? The reason I use a Mac is because I was sick of Windows security, usability, and licensing. So... therefore, I no longer use Windows. BUT, there are a few programs I use that are windows only. If you are concerned about security and a big bad virus, disable your networking. Don't let windows have Internet access, and for god sake don't surf along blindly clicking away with IE. I can run an unpatched Windows 95 system all day long with no virus software and not have a thing to worry about... AS LONG AS IT'S NOT CONNECTED TO THE INTERNET! So please don't buy into the same fear that christians, and politicians try to sell. Don't be so scared, just more cautious. Educate yourself.

01-25-2007, 12:15 PM

neosublime
Member

Join: May 2006
Posts: 62

OK... TOO MUCH. You people are as bad as cnn with it's, "be afraid of cookies", and it's, "better have a firewall", scare tatitics. Granted it mat be a posibility some day for some sort of security risk, but if any of you can go into \\.PSF\.Mac\private and create, or delete files and folders, let me know.

I thought right away that this was a major mistake on the part of Paralles Team, but it seems to be pretty safe by me. It's the same as if you were to map your home folder to your drive. Yes anything that you have read and write access to may be at risk, but isn't that the "World of Windows" for you?

The reason I use a Mac is because I was sick of Windows security, usability, and licensing. So... therefore, I no longer use Windows. BUT, there are a few programs I use that are windows only.

If you are concerned about security and a big bad virus, disable your networking. Don't let windows have Internet access, and for god sake don't surf along blindly clicking away with IE. I can run an unpatched Windows 95 system all day long with no virus software and not have a thing to worry about... AS LONG AS IT'S NOT CONNECTED TO THE INTERNET!

So please don't buy into the same fear that christians, and politicians try to sell. Don't be so scared, just more cautious. Educate yourself.

01-25-2007, 10:08 PM

dkp
Senior Member

Join: May 2006
Posts: 1,416

Quote:

Originally Posted by neosublime

So please don't buy into the same fear that christians, and politicians try to sell. Don't be so scared, just more cautious. Educate yourself.

Here's some education for you. Not connecting to the Internet is only slightly more useful than leaving the VM off - it's not going to happen. Here's another flash, Einstein - your entire hard drive is available to Windows for harvesting. But wait, there's more. All your remote mounts are available for harvesting. Oh yes - you not only get to expose your own Mac, but every system that can be discovered in /Volumes. Do you have any idea how much information that presents to a harvesting drone?

This is a bad idea that should be turned off and rethought.

01-25-2007, 10:31 PM #8
neosublime Member Join: May 2006 Posts: 62	proof of concept.............? anyone...............?

01-25-2007, 11:57 PM

unused_user_name
Senior Member

Join: Jun 2006
Posts: 462

Quote:

Originally Posted by neosublime

proof of concept.............?

anyone...............?

Run locate in cygwin in the VM... turn ON searching over network mounts.

Wait 20 minutes.

Search for (some document that windows should not be able to see).

__________________
MacBookPro C2D 2.4Ghz, 4gb RAM, 200gb Disk
Win XP Pro VM, 512mb RAM, 30gb Disk
Fedora 7 VM, 512mb RAM, 20gb Disk
Minix VM, 128mb RAM, 200mb Disk

01-26-2007, 12:21 AM #10
unused_user_name Senior Member Join: Jun 2006 Posts: 462	A better example: http://www.cert.org/advisories/CA-2001-22.html This virus infects files in unprotected (i.e. no password) windows file shares. All someone would need to do is get a copy of it and change the payload to infect unprotected MS word documents with the latest and greatest windows virus. Something like this: http://www.symantec.com/security_res...051914-5151-99 The mac itself would be immune, but all your friends who have windows boxen would get the virus when you send them a .doc file. Effectively the Windows virus can get out of the sandbox of the virtual machine and infect Mac documents. You could also (fairly easily) add a little program like synergy (http://synergy2.sourceforge.net/) to the payload. Have the virus add that to the Mac user's startup script and you have a zombie machine that is a Mac. If I wanted to (I don't) I could turn this into a real-live working Parallels Windows crossing to Mac virus without even having to write too much source-code. Parallels developers: PLEASE get rid of this option. The people that do not understand any of that stuff up there are the people that are most at risk from this option. Don't make it so that you can turn it off, just get rid of it. Go back to the old file copying method, just bugfix it. __________________ MacBookPro C2D 2.4Ghz, 4gb RAM, 200gb Disk Win XP Pro VM, 512mb RAM, 30gb Disk Fedora 7 VM, 512mb RAM, 20gb Disk Minix VM, 128mb RAM, 200mb Disk

01-26-2007, 12:21 AM

#10

unused_user_name
Senior Member

Join: Jun 2006
Posts: 462

A better example:

http://www.cert.org/advisories/CA-2001-22.html

This virus infects files in unprotected (i.e. no password) windows file shares.

All someone would need to do is get a copy of it and change the payload to infect unprotected MS word documents with the latest and greatest windows virus. Something like this:

http://www.symantec.com/security_res...051914-5151-99

The mac itself would be immune, but all your friends who have windows boxen would get the virus when you send them a .doc file. Effectively the Windows virus can get out of the sandbox of the virtual machine and infect Mac documents.

You could also (fairly easily) add a little program like synergy (http://synergy2.sourceforge.net/) to the payload. Have the virus add that to the Mac user's startup script and you have a zombie machine that is a Mac.

If I wanted to (I don't) I could turn this into a real-live working Parallels Windows crossing to Mac virus without even having to write too much source-code.

Parallels developers: PLEASE get rid of this option. The people that do not understand any of that stuff up there are the people that are most at risk from this option. Don't make it so that you can turn it off, just get rid of it. Go back to the old file copying method, just bugfix it.

__________________
MacBookPro C2D 2.4Ghz, 4gb RAM, 200gb Disk
Win XP Pro VM, 512mb RAM, 30gb Disk
Fedora 7 VM, 512mb RAM, 20gb Disk
Minix VM, 128mb RAM, 200mb Disk

01-26-2007, 02:41 AM #11
drval Senior Member Join: Dec 2006 Posts: 490	Or simply use antivirus, firewall and anti-spyware on the Windows side as has been the case all along for Windows. Ooops, I forgot I gave a clear solution to this supposed "problem" and here we're apparently supposed to be trashing the whole idea of Parallels and inter-operability here. Mea culpa. __________________ The Power of NeuroCARE www.zengar.com

01-26-2007, 09:29 AM #12
dkp Senior Member Join: May 2006 Posts: 1,416	Anti-virus tools have no defense against day one viruses. Windows has a long history of vulnerabilities that can be lit off simply by visiting the wrong web site. It's a bad mix. Don't trivialize the possibilities this presents to crackers. I deal with Unix security every day and the last thing you want/need is to have your entire file system shared out to windows systems.

01-26-2007, 09:40 AM

#13

rhind
Member

Join: Dec 2006
Posts: 84

Quote:

Originally Posted by neosublime

Precisely. And that is why I map my home folder as read-only because. So while the global share doesn't give it write access to system folders, it does give write-access to places that I have tried to forbid Parallels from accessing. Hence why I've turned it off. All my important documents are in my home folder, so don't want to run the risk of something happening to them (even though I have numerous backups).

Cheers

Russell

01-26-2007, 09:43 AM

#14

rhind
Member

Join: Dec 2006
Posts: 84

Quote:

Originally Posted by drval

Or simply use antivirus, firewall and anti-spyware on the Windows side as has been the case all along for Windows.

I'd just like to say that I haven't been infected by a virus on a windows machine, and I do run anti-virus and firewall software to help reduce the risk. But what you are suggesting isn't a solution. Anti-virus software works by detecting 'known' viruses and similar viruses. It can't protect about 'unknown' viruses (i.e. new ones that have got definitions for them yet) so it isn't the perfect solution.

Neither is not give windows read/write access to my home folder, but it is a start.

Cheers

Russell

01-26-2007, 10:04 AM #15
neosublime Member Join: May 2006 Posts: 62	(NOTE: This response is with a completely humble an non cynical attitude.) I understand, and agree with you ALL that, "in theory", it could happen. But the examples that have been given are scenarios wher the "bad guy" already knows you have have a mac running parallels with an XP VM. I no longer use synergy, as I have condensed my desk down to one system. I have no need for cygwin because I have a Mac now. I do believe that this feature should be turned off by default, but removing it is unnecessary . Once again we are all on the Mac platform. I guess all of you that buy the fear also bought Norton Anti-Virus for the Mac too. I can write a virus for any machine at any given time. But will it spread? Will it work on all systems? No. Many educated techs run windows without AV software. I am not insulting any of your intelligence, as I beleive you ALL are very tech savy users, or you wouldn't even know what a virtual machine is. (Trust me, if I explain it to my clients, they look at me in confusion.) All I'm saying, is that we should always be alert of possibilities, but not run around screaming our heads off that the sky is falling.

01-26-2007, 10:04 AM

#15

neosublime
Member

Join: May 2006
Posts: 62

(NOTE: This response is with a completely humble an non cynical attitude.)

I understand, and agree with you ALL that, "in theory", it could happen. But the examples that have been given are scenarios wher the "bad guy" already knows you have have a mac running parallels with an XP VM.

I no longer use synergy, as I have condensed my desk down to one system. I have no need for cygwin because I have a Mac now.

I do believe that this feature should be turned off by default, but removing it is unnecessary . Once again we are all on the Mac platform. I guess all of you that buy the fear also bought Norton Anti-Virus for the Mac too.

I can write a virus for any machine at any given time. But will it spread? Will it work on all systems? No. Many educated techs run windows without AV software.

I am not insulting any of your intelligence, as I beleive you ALL are very tech savy users, or you wouldn't even know what a virtual machine is. (Trust me, if I explain it to my clients, they look at me in confusion.) All I'm saying, is that we should always be alert of possibilities, but not run around screaming our heads off that the sky is falling.

01-26-2007, 10:11 AM

#16

drval
Senior Member

Join: Dec 2006
Posts: 490

Quote:

Originally Posted by dkp

Anti-virus tools have no defense against day one viruses. Windows has a long history of vulnerabilities that can be lit off simply by visiting the wrong web site. It's a bad mix. Don't trivialize the possibilities this presents to crackers. I deal with Unix security every day and the last thing you want/need is to have your entire file system shared out to windows systems.

Yes, and I'm also a Unix hack for over twenty years now.

Let's not peddle fear but deal with realities instead. Mac isnt more secure per se than Windows, it's less prominent becaue of its relatively small market share. Windows is ALWAYS a target because of it enormous market share.

And it's because of day one viruses -- among other reasons! -- that one has complete backups. Or are you saying that Mac needs NO such backups? If you're doing backups anyway AND you have a problem with a day one virus, you can simply redo the system -- like you would with ANY complete restore from backup.

You don't to use Windows and Mac, then don't but there are a number of us -- a very large number -- who want that precise feature.

__________________
The Power of NeuroCARE
www.zengar.com

01-26-2007, 10:20 AM #17
neosublime Member Join: May 2006 Posts: 62	Very well said drval.

01-26-2007, 10:21 AM

#18

dkp
Senior Member

Join: May 2006
Posts: 1,416

Quote:

Originally Posted by neosublime

The bad guy doesn't have to think about it. It's not like the old days where they hunt and peck. Script kiddies just run canned tools and wait for results. The people who write the tools are pretty damn clever. This is a new opportunity just waiting for exploitation.

01-26-2007, 10:36 AM

#19

dkp
Senior Member

Join: May 2006
Posts: 1,416

Quote:

Originally Posted by neosublime

Very well said drval.

And complete irresponsible BS. Nobody is saying to not provide the functionality. This is just not the right or safe way to do it.

Nobody is peddling fear - we are discussing real security in the real world. There is nothing to be gained by fear mongering nor by ignoring basic security guidelines.

Nobody is arguing that backups are a bad idea - what is being suggested is to be pro-active and not allow the exploit in the first place. It is expensive and inexact to try to recover lost data/files/configurations after an exploit, and you can never get back what has been distributed across the internet.

The problem is quite easy to test (but please don't!!)
* Open an OS X terminal session
* cd to /
* Run rm -r * # This is DANGEROUS!
* Wait

This will destroy a lot of things and this is the capability a trivial UNC capable Windows app has thanks to the global share.

Another test - use a Windows tool to copy files into the Mac file space until all the space is gone and watch what the Mac response is. A trivial malicious windows app can do this.

These tests are DANGEROUS! Do not repeat them at home!

01-26-2007, 10:43 AM

#20

rhind
Member

Join: Dec 2006
Posts: 84

Quote:

Originally Posted by dkp

These tests are DANGEROUS! Do not repeat them at home!

And when your machine is used for business, having it out of action for a day or a few days can be extremely costly, even if you don't loose and data because of backups.

Being self-employed I'd rather take as few risks as possible.

Cheers

Russell

« Previous Thread | Next Thread »

1 | 2 | 3 | 4 | 5 | > Last »

Search this thread	Forum jump
Advanced Search

Thread tools	Display modes
Printable Version Email this Page	Linear Mode Hybrid Mode Threaded Mode