SmartStart - How to Disable? Security Concern

I was unable to defeat it on my system even by removing and re-installing Parallels Tools. I've not tried using the Reset command as suggested by Andrew. I agree - SmartStart does not give me "piece of mind" (see the mis-worded banner at the top of the page ).

I have to give Parallels B+ for this upgrade - most of it is excellent stuff but worthless if this feature cannot be disabled. As for the beta testers - I guess I should have applied after all - I'd have raised a ruckus immediately, but it's bad form to implicate the testers vs the internal coders/architects.

 

How do you know isn't still working? It is turned off in my vm but it still works just fine.

 

After reinstalling Tools, I found that the shortcuts to my mac apps were still there, and still functioned. I deleted them and they have not returned.

This tells me the Parallels Tools exe is the true "gatekeeper" of security between the Windows and OSX worlds. I hope it is never exploited via a buffer overrun etc.

 

I think the presence or lack of links is ultimately meaningless. If the API is remains enabled it's just a matter of time before it's instrumented and sorted out.

 

Echo

Ditto here. Agreed.

 

Question: To do this, do I have to uninstall Parallel Tools from within Windows XP, and then reinstall them?

 

No, you can just reinstall them. Then go delete the "Parallels Shared Applications" from the start menu, and the "Shared Applications" folder.

 

That, I think, just hides the problem. Andrew suggested above it will be possible to disable this in a future release.

 

PS: And even more - all Mac applications are started from Parallels with current Mac user security permissions. So if current user is not root - it can't do any real harm even if Global sharing is enabled. Mac OS X embedded security will take care of it.[/QUOTE]


Any real harm? Are you nuts? It may not bring down the machine, but it could easily delete all files owned by me....which are the ones important to me (incl. my Parallels VM, iTunes, Documents, ~/Library).....that real harm. The rest of the OS doesn't matter - I have a DVD to install that - its my DATA thats at risk here, and not at all protected by your explanation.

Said another way - if it can't do any real harm, let me delete your homedir on your desktop and we'll see how happy you are and if you think 'no real harm' has been done.

 

After you've done that what do you see in this folder:

C:\Documents and Settings\dereks\Application Data\Parallels\Shared Applications

Change dereks to your actual Windows account name.

 

Nothing - that's the folder I deleted. It contained a bunch of .exe stubs for all my OSX apps. I found the whole cross-pollination very creepy and I am glad it's semi-gone.

As you accurately pointed out, it won't be totally gone until they close the API into Parallels Tools...

 

Set security to Medium-high (deafault) or High level. In both cases all sharing Mac to Windows will be disabled.

 

I think what would be useful in the future is an option in the Parallels Tools installation for either secure (i.e. total security, no sharing at all) or insecure (with all the useful features turned on).

This in conjunction with the security slider (which IMHO needs to have a better discription of what it does) would do worlds of good.

 

Parallels Tools Center - is just an application. It is Parallels application who grants it permissions to communicate with host part if security policy is allowed.

 

Well in the parallels OSX menus no longer will see you "applications" as even an option and it stops creating associations on the OSX side.

 

What do you see in this folder?
C:\Documents and Settings\atilla\Application Data\Parallels\Shared Applications

Replace atilla with your actual Windows account name.

If it is not empty then you should be able to launch any OS X application you see there.

 

My cut/paste didn't complete correctly in the previous reply so I'll continue here and expand on the points - Recall that the Terminal app uses bash, and that bash uses .bashrc rather like the old DOS autoexec.bat script. Anything in the bashrc file is executed when bash is run. What this means is if user, local, or global sharing is enabled, Windows, which runs as the local user, could in fact tack malicious code onto the .basrc script or replace it entirely, or even create it if it does not exist, and then do anything it likes within the constraints of the user account privileges. If it is the case that people are as careful as I am and never turn on global, local, or user sharing then this is less of a problem. But what happens when a hacker reverse engineers the executables that Parallels uses to launch OS X applications from within Windows? That will take what, an hour? Then it is a trivial thing for a malicious application to run anything on the OS X side of the system at will. I don't think such programs are going to run for the benefit of the system's owner. Such programs are bad things as I'm sure you will agree. If I were Parallels I'd go ahead and get to work on making this an option that is off by default.

Hey - maybe I'll have a proof of concept agent ready for an ad hoc break-out session at WWDC. That would be an eye opener.

 

You normally operate as root?

 

Cool, lets see it.