Big security risk with global sharing

What's up, Doc?

I am kind of new to the PC world and to virtualization, but am certainly concerned about the security of my Mac, upon which my livelihood depends. So I back everything up regularly. I've never had to restore my entire file system, thanks be, and do not relish the possibility.

What confuses me about this thread is that what dkp has said above seems self-evidently true (though perhaps a bit humorously exaggerated in regard to the earth's axis), and the solution he suggests--turning off this feature by default--trivially simple to implement for the development team. Yet drval keeps downplaying the problem, and attacks anyone who brings it up as a fear monger and wanting to destroy Parallels in favor of VMWare or remove a feature he likes.

Why is he doing this? Surely the detection and correction of significant security breaches only enhances the reputation of a company, while concealing them brings discredit. Like dkp, I have trouble imagining any large installation adopting Parallels with such a feature on by default; in fact, if it were discovered after the fact, I would suspect that the system administrators would immediately rip out all instances of the program, and put in a call to the competition if they needed the virtualization functionality. After all, what other undisclosed problems might lurk beneath the surface?

Again, this seems so self-evident that it makes me wonder about drval's motivation, not to say the "compos" of his "mentis". Is he playing self-appointed white knight to what he takes to be a "maiden in distress"? But perhaps he "doth protest too much," making himself look like an blithering idiot in the process, and courting disaster for the company he purports to be protecting? Perhaps he really has no confidence in Parallels in its ability to respond and correct a problem? Does he believe he is in a role playing game, and must win points for his avatar? Does he have a hard-on (metaphorically speaking of course) for dkp? It's terribly hard to fathom.

If this is the behavior of "senior" members of this forum, I'll happily remain a junior indefinitely. And if drval is indeed a psychologist, as his website would suggest, then I say "physician, heal thyself." Or, at the very least, adjust your medication.

After all, this is a beta (OK, a release candidate). Someone made a little mistake, obvious and boneheaded but easily corrected in the next RC with no downside to drval or any other user. Why not 'fess up, fix it and move on?

 

This discussion of drval's contribution reminds me of a story about Wolfgang Pauli, the famous theoretical physicist.

One day, a younger faculty member came into Pauli's office with a graduate student who had come up with a new theory. The grad student proceeded to explain his theory at some length. Throughout the explanation, and for several minutes thereafter, Pauli remained silent.

Finally, the faculty sponsor said, "Dr. Pauli, what do you think of this theory?"

Pauli smiled sadly, and said, "It isn't even wrong."

 

You might enjoy reading another thread here (Parallels' big mistake) where I suggested it was a mistake for Parallels to interleave the production and beta/release candidates. I suggested it may benefit all if there were a forum for beta issues and that a more formal beta process emerge, and another forum for supporting the GA releases. Many people are confusing beta releases for upgrades and fixes for the released products and that is simply not the case. Moreover, it's now evolved to the point where *all* previous versions are being discussed, and earlier beta discussions do nothing to help with the current releases. Val, ever the apologist, pretty much did the same thing then. He seems unable to accept that there is room for product improvement and that we should play the cards we're dealt. It's like having a stalker following you around.

Given that I spend hours each week in these forums offering help where I can, and have never made any suggestions that would result in making the product worse, I don't understand his droning, accusations, and suggestions I may be working for the competition. I use but don't particularly like the VMWare product - I use it so that I can know more about what to expect in Mac hypervisor technology. I have no intention of buying it or turning my back on my purchase of two Parallels licenses. I'm invested in Parallels and I want it to work and to work safely. I know that based solely on my recommendation, tens of copies of Parallels have been sold, and if I'm going to be recommending a product for my friends I don't want that product to present a major hidden security risk.

 

My motivations are clear and as I've stated elsewhere -- I run a development project and want to use the best most full-featured tools I can for that purpose. I'm here to learn from others about their experiences with Parallels and to support those whom I can with my experiences and knowledge.

I prefer for discussions to be simply factual and direct. Having been in the computing world for well over two decades and worked on everything for PDPs and their ilk onwards, I've been around a few blocks. I really don't like "language wars" (C++ is the best, no VB is, no C# is...) and I really don't find "Windoze" trashing to be useful. It just promotes more divisiveness and confusion. The issue here is a collision in philosophy concerning how systems and system resources SHOULD be organized and, as the 11th commandent of Cognitive-Behavioral Therapy states: "Thou shalt not SHOULD on thyself nor on anyone else, or else you'll just end up feeling SHOULDY".

I see two and three spawns of the same "Windoze trashing" kinds of messages being posted frequently -- it's not necessary and it defocusses all of us from actively supporting this product as well as the ongoing development work needed to extend it. Personally I'm still waiting for more secure USB 2.0 -- and I've sent that to beta@parallels.com so it can be addressed.

You think Global Sharing should be OFF by default. I think it should be ON by default and I think that's the correct choice because it's pretty clear that MOST users want it. Similarly, one of the most requested features is full implementation of the Windows Dual Monitor mode. These are features that users want and they -- apparently -- want them to work "right out of the box". However, others don't want it that way and want to make the typical user make changes that they will want to make, that could be set for them by default.

Let's see what Parallels does -- perhaps a dialogue box on first start up: "Do you want to enable Global Sharing? Some believe it poses critical dangers to your computer."... Remember Prohibition didn't work. Education does and terrorizing only creates more fear and dependance.

 

I have to agree completely with DKP on this issue.

One might divide potential Parallels users into two camps: Those knowledgeable about security issues, and everyone else. Those who know what they are doing can turn off inadvisable features and protect their machines / networks, so having such a feature won't put them in danger.

Those who don't know anything about security won't think about it and will be needlessly exposed to the very real risk of having their machines scrambled. The policy should clearly be that the locks are locked by default, and unlocked by those who want them unlocked after they have been warned about the consequences.

Of course the other issue here is that there is the possibility of a useful function being available without much, if any, risk, if it's just implemented so as to require proof of physical presence to function. If drag and drop is implemented without an open global share and requires a physical mouse click to operate, it will be safe from malware. The key is that communication between the environments must require physical presence to demonstrate user intent. This isn't hard.

In the meantime, just as Microsoft has been roundly criticized for leaving so many holes they could have closed open by default, Parallels deserves criticism for leaving such a serious security hole open by default.

It's the ignorant who need the protection most, not the experts who can easily turn off dangerous features.

And finally, yes, the feature is truly dangerous, as anyone I know in IT with any security responsibilities knows. I suspect that if I left such a hole open on a client network, I'd be fired.

BTW, my only connection with Parallels or any other similar company is as a customer, and none of my clients develop or sell software of any kind.

 

Val - the problem of the global share is not limited to Windows. There will come a time when the Parallels Tools will be available for Unix and Linux. If Global Sharing is enabled in those environments I will be as vocal about the hazards. It is not bashing Windows to acknowledge it is the principal target of viruses and crackers probing every exploit - it is a fact of life and any new opportunities are valid subjects of discussion. Coincidently, it is the only OS that Parallels has provided drag and drop capability to using global sharing. That limits the current conversation to Windows and to what-if scenarios that demonstrate how simple programs can be used in Windows to cripple OS X. That is not fear mongering any more than CERT bulletins describing obscure proof of concept exploits of Windows and it's applications is fear mongering.

What does not help advance the conversation is to repeatedly deny there is a problem and that it has significant consequences. If you are anywhere near as experienced as you claim then you will recognize the seriousness of it immediately. It is plain for all to see. An end-user who hasn't your experience nor mine may miss it entirely and not know the seriousness of it until their son or daughter gets hit with an IM virus that quietly crawls that system. Given that viruses survive longest that don't kill their host, they may never know their private documents are being shared around the world or even consider it was possible. They may feel false security because they know they're running Windows in a virtual machine sandbox and believe that their host OS is safe because they did not enable sharing. We know these infections happen every day, and anyone who deals with the growth in spambot networks knows the problem of infected Windows boxes is getting worse, not better. When that discussion is cut off and discounted as Windows bashing an even greater offense has occurred. I suggest you not try it with me as you will be wasting your time and mine, and the good readers of these forums.

 

MOST customers probably want to go into stores, get what they want, and not pay for it, but we don't allow that. Most users want all "features" enabled so they can use them without thinking, but some of those things can backfire and the decision to use them is a tradeoff.

Global sharing is dangerous, and you clearly don't get it. More Macs will be scrambled if the default is on than if it is off. Leaving it on by default is irresponsible, and given that Parallels has actual notice that it is dangerous may open them to legal trouble if they release it on, should someone get OSX scrambled by Windows malware and decide to sue.

Giving everyone what they want without considering the consequences is a really bad idea. The inability to properly evaluate consequences due to ignorance or general immaturity is the reason we don't give driver's licenses to ten year olds. Maybe we should hand out guns to everyone who wants them because even though they are dangerous in untrained hands, lot of people want them. Try that with a five year old, and see how quickly YOU go to jail if the kid shoots someone. And yes, it really is the same principle even if it's expressed as a reductio ad absurdum argument.

This global access feature should be off be default because it is dangerous, and if people want it, and know about the danger it poses, they can turn it on. Really though, it should be implemented differently. It doesn't have to be dangerous.

 

I appreciate your thoughtful response to what this thread is about but I do have a point of difference in how I see things.

The truth is that one of the major missions of Parallels is to fully support Windows on Mac hardware, such that true concurrently can occur with the two OSs. This means that whatever benefits -- and dangers -- that Windows brings with it will "come to the party". And this means that anyone wanting to run Windows with concurrency (or not, this is relevant to Boot Camp only installs as well) need to implement full Windows-style security measures FOR the Windows aspect of what's been used.

There really is NO way around that.

It seems to me that there needs to be a major effort made to keep discussions on what to DO so as to SUPPORT these functions -- hence the idea of anti-virus, firewall, anti-spyware, etc as being a vital and necessary component of using Windows, even IF Global Sharing is OFF.

Part of the popularity of Windows is its "ease" of use -- largely enabled through the various technologies (like ActiveX) that make many attacks easier to orchestrate. But these are also the very same features that many users -- if not most -- find most appealing about Windows. You can just click on an attachment and don't have to go through a number of layers to do so. BUT, you also have to be wise about WHICH ones you click on AND you have to have installed the various security tools AND done backups.

All of these precautions will still need to be done whether or not Global Sharing is active.

And FWIW if you were running an IT department for me and you didn't implement THAT stance, then you would be fired. I wouldn't fire you for deploying systems that had security in place and allowed for Global Sharing. But perhaps that's just me.

 

I will regret intervening such an important argument but here's my personal opinion anyway...

With full respect to dkp and his feedback I feel that this has gone too far. This "security" alert is now giving novice users "understanding" of the "problem" and they start building conspiracy theories. The premise is that Parallels is adding random features that somehow expose Mac to worldwide threat we're all under. The whole thing is heavily biased by personal disgust for Windows.

To understand the technical reason behind .Mac shared folder you have to use drag and drop from the Mac to VM on daily basis. The original DnD mechanic copies the file to temporary location in a VM, the new one provides full path to the original file. Try this excersize: come up with at least 5 (10 to get an A and I'm absolutely serious) distinct use cases where temporary file is inadequate.
Parallels users are pragmatics most of the time. They need to get things done: get a document reviewed, 3D model updated, database filled with new records. They use programs that are appropriate, that's part of their workflow and VM being their tool. The tool needs to be up to the task. Theoretical security must not preclude tool usefullness, this assumption is not even unique to Parallels. The machine is either ultimately safe (powered off) or usefull.

While .Mac share is "read-write" this merely means that Parallels does not apply additional restrictions to file access, OSX security is still there -- VM is no more (actually less) privileged than user account Parallels runs from. And if you are concerned you can turn this feature off.

Now to the risk. The basic assumption is that Windows is always infected. This is obviously a stretch. Windows does not get infected by itself. In most cases this is the result of user running untrusted programs, and there's nothing Windows specific in this case. There aren't many other ways. Active attacks from the wild via network are virtually impossible due to Windows firewall, Mac firewall or Parallels Shared Networking mode. It's worth nothing that work machines are keept safe by sane users.
In an unfortunate event of VM getting a trojan/virus the damage is alrady done, .Mac share doesn't add much to the problem. Malware that distributes itself via network is scanning SMB shares or RPC ports, .Mac contents (mostly read-only due to OSX security) is more of a honeypot than real target. The Mac itself may have network shares that can be tampered with from other machines.

 

If this is the official Parallels position then you're about to lose me as a customer and supporter. Certainly not the end of the world for you. If it is your opinion alone then I respectfully submit you are wrong.

 

I certainly hope this is the official policy of Parallels in re: to this issue. It is precisely the way I want the implementation to be done by default, with the option to disable it if that seems appropriate to a particular user. I know that the vast majority of users who are attracted to Parallels are looking for this precise kind of functionality.

Keep up the good work!

And FWIW remaining issues for me -- besides stability -- are:

1. more USB functionality (ie having more than ONLY two USB2 devices connected at a time and more reliable real-time throughput for monitoring a serial data acquisition device)

2. complete (or more complete) implementation of Windows native Multiple Monitor support

3. 3D graphic support.

All of these have been raised elsewhere and by others. I just thought this might be a place to add these comments in for emphasis.

 

How about a partial solution that should keep all parties happy:
Instead of enabling global file sharing, enable sharing of the host os's home folder? For instance, I have such functionality enabled right now in linux, I created a folder in my home folder called My Documents.
Then I enable the shared folders feature pointing to just that folder, and then in the windows VM, map that shared folder to a drive letter, say E:.
Then I move the windows My Documents folder to that mapped drive and from now on, I can save every file, drag and drop between the windows VM and the linux host.

This way the shared folder is restricted to just one folder on the host instead of the entire host os filesystem. Would that be a more reasonable alternative that would satisfy both proponents of the drag and drop feature as well as those who want the shared folder functionality restricted to some degree?

I'm all for the shared folder drag and drop functionality, but not globally on my host os. I like to have it restricted to a folder so I don't have to worry about wiping out important documents that the shared folder/drag and drop can't reach but I do have the risk that I would/could potentially lose the documents in the shared folder though. That said, the shared folder could easily be backed up by the host os on a daily basis and restored just as easily.

Any arguments for or against this? DrVal, Dkp, your thoughts?

 

Any secure solution is fine with me. Might be a good topic for SlashDot and AFP548 so that a larger audience can weigh in. If nothing else it will let people who don't visit this BBS know about the issue.

Edit: For a larger view of the business of sharing out root volumes and all contents therein, the Google MacFuse tool allows this, too, using sshfs (any sshfs client can do this). A lot of work is going in to trying to chroot and jail sshfs so this doesn't happen gratituously.

sshfs is a method of creating a mount in OS X or any supported OS using only ssh as a transport protocol. The implication is if you have a shell account anywhere that allows ssh you can create a folder on your system that points anywhere in the remote system you choose. Just something to think about.

 

I see no conspiracy theory, and I have no personal disgust for Windows. I have several Windows machines I use every day, and I use Mac and Windows more or less interchangeably. I am absolutely not a platform partisan. I just think a feature exposing the host filesystem to the guest should be off by default, just like the Windows firewall should be on by default, a policy Microsoft has reluctantly adopted.

I don't understand why this is an issue if it isn't being done that way any more. I agree that direct copy is more efficient, and for a very large file, using a temporary intermediate could put pressure on free space.

I can't agree that these are the only two possibilities. It's certainly safe if off (unless it's physically stolen and sensitive data is lost) but that's only one end of a wide spectrum. Some machines are more secure than others.

What I think would satisfy both camps is for the feature to be effectively off until a mouse movement (drag and drop) signaled the user's intention to move a file. Then the feature should be on for only that file while it was being copied. This doesn't seem terribly hard to do, and would preserve the sandbox while adding a great deal of convenience I, for one, would welcome. I think requiring physical operator presence is the right way to create a tunnel between host and guest.

If Parallels doesn't want to put in the time to implement this, then at least the feature should be able to be turned on and off from the menu while the guest is running.

There's very little risk involved in getting into a car and going somewhere, but even the law recognizes the risk that an accident could happen and requires driver and passenger seat belts, and infant seats. By the same principle, isolation of host and guest except for user initiated transfers is a good idea and should be the default.

Usually, but not always. Also, some of us do development, or test malware, and virtual machines have always been a safe place to do this. That should continue, IMO.

The problem here is that restoring a .hdd file gets the guest back. Restoring the host is more difficult. Also, some of us won't put sensitive data on a guest while we will on a host.

I've noticed that there are other places where Parallels seems to assume expertise in users that has been proven not to exist. My favorite example is the lack of a requirement, or at least a warning dialog, to reboot the Mac after installing Parallels. Even after many people have had problems with it, it still (AFAIK) hasn't been addressed. (I'm just using this as an example. I know enough to reboot and have never had a problem, but others have).

So I really feel that potentially dangerous features should be off by default (but not omitted) and the drag and drop should be implemented in a safer manner.

I'm really glad to see this discussion -- it is an important one IMO.

 

It seems to me that you can choose to precisely what you're suggesting -- if you want to do so.

And DKP can do what he wants to.

The issue is allowing for the way things are NOW with Global Sharing enabled. This is what I want and, if the various "pools" are to be believed, it's what a lot of other users want.

So, it seems to me that that the solution is pretty obvious. Stay with what is -- ie Global Sharing enabled -- indicate the other options for those who want them, and let users decide what makes the most sense for them.

And make certain to indicate that full Windows anti-virus, firewall and anti-spyware need to be installed and maintained -- along with "safe computing".

But don't take away Global Sharing and don't make it NOT be the default. All those who want it -- who do seem to be a large proportion of uses -- will then have to work to set it up.

Software should default to the most used and most likely to be used fashion, where possible. And I think that pretty clearly that will turn out to be with Global Sharing enabled. It's one of the core things that Windows users will want to do -- and they're already well acquainted with the issues involved.

 

I don't doubt that windows guest users will want to share their files with the host os. I too want that as well. The crux of the problem is allowing how much freedom windows guest users to use regarding the host os filesystem.

I personally don't agree that it should be globally shared with the entire filesystem. Globally sharing the home folder of the running host user, I might be amendable to that as it does need some access to the host filesystem. The sticking point is does the window guest os really need to have read/write access to the entire host os filesystem?

 

not so much with the handholding

“I am familiar with the experiences of certain of the above listed organizations, and the Macs in those organizations have been probed and subjected to penetration attempts tens of thousands of times, but not one attempt has succeeded.â€

I didn’t really want to get in on this end of the discussion, but I just couldn’t let this B.S. slide past. I’m not just familiar, but I am a user of NIH, DOD, DOE, Army, Navy, and so forth, supercomputing resources. In just the past few years I have been forced to reinitiate my account at least once, if not more, on all of these machines running a ‘secure’ OS because they were compromised. The support center for the supercomputer resident in the lab I work was investigated by the FBI as the origin of one of the compromise; it happens, they just don’t want your mac. In general, criminals are interested in constructing botnets for distributing spam or DDoS attacks. Apple’s relatively small market share makes them undesirable for either. It would be a waste of time and resources to duplicate their efforts just to compete for a handful of additional computers.

Now … for the more interesting point; you can write crippled software, or otherwise implement some cumbersome handholding for the user who refuses to familiarize themselves with real world risks. Or, you can place the onus on the consumer to understand their purchase. I’m for the second alternative. Camp number one has given us labels on fishhooks imploring us not to swallow them, and the ‘external use only’ caution on curling irons.

 

Yes, I agree with you on all counts. It is, in the end, the USER's responsibility (both to educate themselves ahead of time and to use the product wisely, prudently and with an eye to security) and crippling software UNNECESSARILY is actually a real insult to users as a whole.

I also agree with your report about what systems HAVE actually been attacked. I do continue to be amazed at how many believe that there is some "magic" protection inherent in other OSs.

 

I think that both sides of the issue have painstakingly presented their cases, and hope that any additional comments on this thread would be to present new information, not just keep rehashing what has already been said.

 

I challenge anyone to install the Fusion beta from VMWare and find a global share. I can't find it if it's there, and drag and drop going either direction between OS X and Windows XP is perfect. So far as I can tell the Windows system remains completely sandboxed and that is what I expect by default from a VM manager. And I still have no intention of buying VMWare as I've already purchased Parallels and like it just fine for the most part. But I won't recommend to anyone a VM manager that by default exposes the host as does the current RC from Parallels.