Don"t automatically upgrade to v9

Discussion in 'Installation and Configuration of Parallels Desktop' started by Paul Barnard, Sep 10, 2013.

Thread Status:
Not open for further replies.
  1. Paul Barnard

    Paul Barnard Member

    Messages:
    46
    Think very carefully before upgrading. This installation disregards all rules of security and steals your credentials to install unannounced applications. It is a massive failure of security etiquette.

    There are posts in the specific Access forum about this but in summary you will finish up with several things installed that you have not asked for or authorised. You will have a server account associated with your Parallels logon information.

    Read the posts before upgrading and decide if you are happy to do this. For me it is a complete disaster.
     
  2. serv

    serv Forum Maven

    Messages:
    817
    MODERATORIAL. Think carefully before using words 'trojan', 'virus', 'stealing' and such. Invalid accusations based on poor understanding of the subject and misinterpretation of facts is also a failure of etiquette.
     
  3. Paul Barnard

    Paul Barnard Member

    Messages:
    46
    Trojan: A Trojan horse, or Trojan, is a hacking program that is a non-self-replicating type of malware which gains privileged access to the operating system while appearing to perform a desirable function but instead drops a malicious payload, often including a backdoor allowing unauthorized access to the target's computer.

    From that definition I would say that your stealthy install of Access fill the requirements. The fact that you also installed safari extensions when I had explicitly setting in safari not to install extensions shows you used administrator privileged rights that I had not authorised you to do. That is stealing. The fact that you also sent information about my computer to your servers fully meets the definition of a back door program. I see this as malicious as you failed to tell me that you were going to do it.

    You can play the heavy handed moderator if you like but get your own house in order before telling others they are misinterpreting the facts. As a 30 year veteran of the software industry with a background in security I am perfectly qualified to make these assessments. What is your basis for accusing me otherwise?
     
  4. Specimen

    Specimen Product Expert

    Messages:
    3,242
    (emphasizes is mine)

    This is not factually correct, when you install (launch the first time) PDM9 it asks you for your administrator password, which means you authorize and give administrator privileges to the program. I personally don't like that the Safari extension is installed by default and I always remove it, as I have no need for it, but the fact is that when you install PDM9 it does ask you for administrator privileges and you have to type your password (authorize) for it to install all these things, at this point one can stop and not proceed and inquiry Parallels as to why it needs such privileges.
     
    Last edited: Sep 10, 2013
  5. Paul Barnard

    Paul Barnard Member

    Messages:
    46
    I was asked to authorise the IUPGRADE of parallels not the installation of new software... Obviously you needed the privileges to do the upgrade I had no issue with that so granted the rights. Unfortunately you then misappropriated my credentials to install additional software unannounced. You also passed my systems specific block on installing safari extensions. That is ABSOLUTELY the definition of a trojan install.

    Oh and just a bit of background; I have been a user of Parallels since a few days after the first release. I have upgraded through all the releases since then. It has never done this before. This is totally unacceptable. The quicker you all admit it and provide a system clean utility, rather than try to justify it, the better
     
    Last edited: Sep 10, 2013
  6. Specimen

    Specimen Product Expert

    Messages:
    3,242
    You don't need privileges to do an upgrade if it doesn't do anything that requires such privileges. And by the way, the Safari extension was already present in PDM8 and afaik in PDM7, it's not a new component, Parallels Access had a different name, it was Parallels Mobile and it was also installed in these versions, what it didn't have was the accompanying Parallels Access app, but the privileged components to allow adequately authorized remote access were already present in previous versions. I hope that helps clarifying the facts.
     
    Last edited: Sep 10, 2013
  7. Paul Barnard

    Paul Barnard Member

    Messages:
    46
    My credentials were needed on the upgrade to replace the file in the Applications folder. Installing the launcher extensions also required privileged access. The Safari extension was not installed in the earlier versions on my system. If you look at the forum you will see others are seeing it for the first time as well. My complain here is that you installed an APP without my permission and installed and enabled a safari extension when I had explicitly configured my system not to accept safari extensions. Your clarification of the facts is only serving to clarify my opinion of the current demise of a once excellent and professional company.
     
  8. Specimen

    Specimen Product Expert

    Messages:
    3,242
    Not factually true either, Applications don't need administrator privileges for replacing/upgrading to the /Applications folder when the installer is launched by a user on the admin group, because that user can read and write to the App folder, other parts of the system, like the Library and System folders are not writable to the user (even if he is part of the admin group) but only to root/admin and as such require authorization (entering the password).
     
    Last edited: Sep 10, 2013
  9. Specimen

    Specimen Product Expert

    Messages:
    3,242
    Not true either, like I said, on previous versions the Safari 'Open with IE' extension was also installed exactly in the same way as with PDM9, there's no difference there, the reason why you didn't have it before might be for a myriad of possibilities.
     
  10. Specimen

    Specimen Product Expert

    Messages:
    3,242
    Besides, I should inform you, that as my signature says, I don't work for Parallels, and in fact I don't even like the Safari extension, but just so you can see I'm only dealing with the facts here and trying to correct some misinterpretations, I present you the thread started BY MYSELF against the Extension:

    http://forum.parallels.com/showthread.php?264782-I-don-t-want-the-Internet-Explorer-Safari-Extension!

    As you can see it dates back to October last year, around the date PDM8 was launched.
    The difference here, is that I'm aware I authorized the installation.
     
  11. Paul Barnard

    Paul Barnard Member

    Messages:
    46
    My Applications folder is configured for system and admin only read and write. To remove or add a file from that folder requires system or admin privileges. Any task running as a standard user has read only access. Now yours may be configured differently but thats the way it is on mine. Without running the installer as a privileged user it will not be able to upgrade, thats why you ask for me to confirm that I grant you those privileges. The whole point of the system asking me to confirm that I agree to you using my admin privileges is to prevent exactly the sort of thing that you just did. Had this been some random software from an unknown company I would not have agreed the privileges. As it happens I have trusted you for a number of years, through 7 previous upgrade cycles, but I am absolutely horrified that you have abused that trust on this occasion.

    Shame on you for trying to make this my problem.
     
  12. Paul Barnard

    Paul Barnard Member

    Messages:
    46
    I suspect the reason I didn't see it before is because I explicitly block installation of Safari extensions. That was completely over ridden by your installed...
     
  13. Paul Barnard

    Paul Barnard Member

    Messages:
    46
    I apologise for the use of YOU in my posts, i am of course referring to the Parallels team here. The Parallels logo and Product expert below your name mislead me into thinking you were an employee.
     
  14. Specimen

    Specimen Product Expert

    Messages:
    3,242
    Then be careful about any Application you install as you won't know if it's installing components elsewhere or not, with any Application asking you for password. The irony of this is that this can actually be less secure for the reason I stated above.

    My advice would be to use a non-admin group account instead for day to day tasks, and use the default permissions in /Applications. That way you can't install an app to the /Applications folder, and to do so you could then log in to an account that is in the admin group and install software there.
     
    Last edited: Sep 10, 2013
  15. Paul Barnard

    Paul Barnard Member

    Messages:
    46
    And that is the crux of the matter. I only install software from sources I trust as I am fully aware of the risks. I keep a very clean secure system as I do high security software development. I have trusted Parallels for many years but it now seem that was misplaced.

    The whole point of my post was to warn others not to blithely upgrade on the assumption that Parallels is a trusted supplier who won't screw their system. I stand by my, now moderated, assertion that this was a trojan install. We can agree to differ on that.

    Pax
     
  16. Specimen

    Specimen Product Expert

    Messages:
    3,242
    The badge is a mixed blessing, I've been getting a lot of personal harassment (not saying you did) for having it, with people blaming me directly or thinking I'm some sort of a shill. *sigh*
     
  17. Specimen

    Specimen Product Expert

    Messages:
    3,242
    Yes, I don't agree with that, but I have no personal qualms with you. Peace.
     
  18. Specimen

    Specimen Product Expert

    Messages:
    3,242
    I would like to leave a suggestion for Parallels Team thou, which is to have the ability to select what components to install on the installer, with a description of the advantages of each component, these optional components would be:

    * Safari extension
    * Parallels Access (and required components)
    * Parallels Application folder under ~/
     
  19. serv

    serv Forum Maven

    Messages:
    817
    I have to state a few seemingly obvious things for other readers. This is not meant to be a comprehensive list but a short summary.

    Neither Parallels Desktop nor Parallels Access are "hacking programs". They don't exploit system vulnerabilities, don't attempt to abuse security and don't hack your credentials.
    Users confirm privilege escalation for the installer to do its work, for PD to manipulate bootcamp partition and in some other cases too.
    Access and Safari extension are both parts of the program that implement specific functions: authorized remote access and 'open in ie' button.
    Parallels don't download and/or install malicious payload. Defining 'malicious' in this context would be too lengthy, however. Parallels only downloads and installs product updates and additional packages required for guest OS (like Windows 8 start button). You can also explicitly request it to download 3rd party antivirus products from security center.
    Access doesn't allow remote access without explicit confirmation. The function itself is not even new for PD9. From a practical standpoint it is similar to former Parallels Mobile, but with much better performance and usability.
    Parallels doesn't send (or even access) your local passwords, address book or other personal information. Some information is solicited during product registration.
    Parallels account created during registration is unrelated to your local or any other accounts. It's primary use is to allow Access client to connect to your computer.
    Parallels products do communicate to internet servers on various occasions for legitimate reasons such as registering the product, checking for updates, establishing authorized remote access etc.

    At the same time, Parallels Desktop is technically very complicated. To perform its functions and provide services Parallels does need to do many things one could misinterpret as alarming: installing kernel drivers, using advanced CPU features, running privileged network services, establishing remote connections, manipulating network packets, even opening some files, etc. Seeing these things as security violations is uninformed and absurd. Also, it's totally impractical to request explicit authorization on each end every occasion, so we're trying to strike a balance.

    While Parallels does listen to criticism, demands, suggestions and other concerns (there's actually ongoing work on Access installer/uninstaller), trojan accusation is by far overreaching at the very least. In fact, it's insulting given that the very purpose of the product is to be useful, not malicious. I'm sorry if someone totally can't tell the difference.
     
  20. alexofindy

    alexofindy Member

    Messages:
    25
    I'm not a security expert, but I do find what I've learned in this thread disturbing. And I believe Mr. Barnard and Specimen's related comments are correct. Parallels should not be installing remote access "backdoors" on my system without my explicit permission.

    I have parallels 8, and am considering upgrading to Parallels 9.

    From my point of view installing a remote access program without my permission is a serious mistake. Though such remote access is well intentioned, the fact is that all software has bugs. Including Parallels. A backdoor designed to allow remote access to my system is something I don't want. And I really don't want it if it starts a process or daemon that runs in the background, without my knowledge. I don't need the functionality, it's just something else that can go wrong, eats up CPU cycles, and may provide someone truly malevolent with access to my system.

    I don't know if Parallels Mobile is installed on my PD 8 system, if it is I want to know how to get rid of it. And, I won't be buying Parallels 9 until the installation of Access is made fully and clearly optional.



    I am fully aware that many programs install deamons on both windows and Macs that are always phoning home to check on the existence of upgrades they can try to sell me. I don't like this, and I disable them when I can, but they are an unfortunate part of modern computer life. But a remote access program that runs all the time in the background is another beast entirely, and seems to pose a far greater risk to my computer security.

    Parallels: how do I see if Mobility is on my PD 8 system, does it run all the time, and how do I uninstall it without interfering with the main Parallels Desktop program.

    And please let me know when Access is removed from PD 9.

    To those more security savvy than I: thanks for being diligent.
     
Thread Status:
Not open for further replies.

Share This Page