Big security risk with global sharing

Agreed. I've also expressed this concern, but I don't think Parallels gets it, I don't think they understood me.

I'm overall concerned with the evolution to build 3120. Parallels is putting too much focus on making Windows run well within the Mac at the expense of running Mac programs. This is very bad strategy. I am using a Mac running Mac OS X first and foremost. Running WIndows is a nice addon, but you cannot break my ability to use the Mac. If all I wanted to do was run Windows, I'd use bootcamp and not buy Parallels. If you make the Mac run poorly enough, I won't run Parallels and won't buy it.

Parallels: Make sure whatever feature you add doesn't hurt the ability to run Mac programs.

My specific issues:
- The security issue mentioned here. I run a Mac so that I don't have to worry about viruses. WIth this scary feature turned on, Parallels have managed to instantly make my Mac OS X machine totally open to viruses and spyware. Completely unacceptable.
- I have experienced very high CPU utlitization rates even when the WIndows VM is idle. When Windows 2000 is reporting 0% CPU util, Parallels consumes 25-60% of my Mac's CPU while doing NOTHING. This again is totally unacceptable.

I also have an issue with the coherance mode. I don't really want my WIndows programs running seamlessly within the Mac, because of viruses etc. Too much focus on hacking specific hooks into WIndows while basic Parallels tools don't exist for Linux.

Because of the CPU utilization problem, I've reverted back to build 1970 and have been pretty happy. I am also giving VMWare a more serious look as I'm in the beta. Good video support is more important than some of the new Parallels features.

 

Mac IS more secure "per se" than Windows.

Yes it is.

* No browser-desktop integration. Safari has some design problems, but it's nowhere like Internet Explorer.

* Formal system call API instead of ad-hoc callgates. So there's two chances to catch illegal parameters to calls.

* No legacy apps that break when the system is secured. Which is why Windows has many many more globally-writable system directories.

* Services (daemons) run local-only by default. OSX with no firewall has comparable security to Windows with a firewall, and then you can add a firewall as well.

* Traverse checking (even if it can be bypassed by aliases) on by default.No "filename guessing" to troll for writable files in other user accounts.

* More I haven't thought of... this isn't 1997 any more, UNIX has dumped the "r" suite, telnetd, the old backdoors. Microsoft still refuses to back down on the security disaster originally advertised as "Active Desktop".

 

Digg it

Thread pointer on digg

 

The real problem.

There is no reason the "global share" needs to bypass UNIX permissions.

In fact Parallels shouldn't be *able* to have that capability. The client application (the emulator) should drop privileges as soon as possible, and run with no more than normal user access. Why doesn't it?

 

No.

When I am running in my user account, using Parallels, I should not be able to use Parallels to bypass local security even if I want to, unless I have an administrator password.

Parallels is running as a "root shell". And you don't even need to "sudo" to activate it.

Parallels needs to make its shell (the emulator) run under minimum required privilege, and no components that can be accessed by emulated software should have more privileges than the user they're running under.

If they fix that, they can enable GFS without opening up new local security holes. If they don't, it doesn't matter whether you enable GFS or not... the hooks it uses are still available.

 

Please pardon my ignorance, but I can't find out how to turn off GFS...would someone mind pointing me to where I could do that? I've searched this forum, google, and the Parallels help but can't find anything.

Thanks!

 

Wow. I didn't realize that they enable root access. Thats much worse than I thought. That is totally unacceptable and shows a scary lack of basic security knowledge.

I prefer to install all my Mac applications within my userid so that those applications can't affect the Mac overall. Why does Parallels need to be installed as root/admin anyway?

 

Thie article describes how to disable it.
http://digg.com/apple/How_to_close_a_backdoor_opened_by_Parallels_on_OS_X

 

The global share doesn't bypass Unix permissions - it provides to the VM access with the VM owner's priviledges. That is enough for a harvesting malware. And of course this extends to any mounted volumes as well.

 

You need to shut down your VM, edit the VM parameters in the Parallels tool, specifically under sharing, you would want to unselect Global Sharing. The global share will be gone with the next VM startup.

 

To my knowledge only the Parallels NAT daemon runs as root. The Parallels desktop runs as whom ever launches it. Any global share privileges are limited to that same user.

 

What leads you to believe this is true? Did you verify it?

 

Thank you!

 

My bad. I assumed that the people who wrote that it gave complete access to the drive meant that it gave complete access to the drive. Silly me.

Indeed. Parallels doesn't protect you from a compromised Windows environment, and any resources visible from that environment are exposed. That's elementary.

I agree, then, that making this capability off by default and providing a warning in the preferences where the "enable" box is would be enough to resolve this issue.

 

Granting yourself the leadership role in the way is a symptom of megalomania, among other things, and quite pointless. This topic has only just hit America's front page and I expect it will continue for a while longer with or without your input. Best it should continue here where misconceptions can be cleared up.

 

You are again looking directly into the mirror.

Are there two perspectives -- as you said -- or is it only one "real truth" and the infidels oppose that truth?

 

The hypervisor has to run "under" all OS's directly on the hardware, so Parallels actually owns the computer and we depend on it to enforce reasonable constraints to keep the host and VMs separated. That they would even implement a global share scares me. It means malware can do anything I can do with my login without an admin password, and it makes me wonder what other holes are hidden in there for convenience in implementing "features". This is a trap Microsoft has fallen into (features first, security later) and is the primary reason, I suspect, that the virus score is Windows, tens of thousands, OSX, zero.

Philosophy counts. It has broad influence on design and performance. Even in the earliest days of VM (the IBM OS from the '60s) virtual machines were totally isolated. IBM got it right. Parallels NEEDS to implement drag and drop without a program accessible global share.

This would definitely be enough to make me move to VMWare if it does everything else I need.

 

Same here.

For the record, I was a member of the Multics development team back in the early '80's. And I was a member of the team that finished hardening the system to get the first B2 security rating for a commercial operating system. While I'm not currently working in the security arena, I've been following it closely ever since...

 

What is your assessment of the relative contribution of Shared Networking, as opposed to other options?

 

here is mine

Nat is good unless the implementation is flawed allowing an attacker to execute arbitrary code on the system. (which realistically is a very small risk as the attack surface will be relatively small compared to others available to an attacker {open services})

But NAT isnt the solve all as many Firewall administrators will tell you. (how many apps do you know of that dont work so well with NAT?)