Big security risk with global sharing

Discussion in 'Parallels Desktop for Mac' started by goron, Jan 24, 2007.

  1. dm3

    dm3

    Messages:
    46
    Agreed. I've also expressed this concern, but I don't think Parallels gets it, I don't think they understood me.

    I'm overall concerned with the evolution to build 3120. Parallels is putting too much focus on making Windows run well within the Mac at the expense of running Mac programs. This is very bad strategy. I am using a Mac running Mac OS X first and foremost. Running WIndows is a nice addon, but you cannot break my ability to use the Mac. If all I wanted to do was run Windows, I'd use bootcamp and not buy Parallels. If you make the Mac run poorly enough, I won't run Parallels and won't buy it.

    Parallels: Make sure whatever feature you add doesn't hurt the ability to run Mac programs.

    My specific issues:
    - The security issue mentioned here. I run a Mac so that I don't have to worry about viruses. WIth this scary feature turned on, Parallels have managed to instantly make my Mac OS X machine totally open to viruses and spyware. Completely unacceptable.
    - I have experienced very high CPU utlitization rates even when the WIndows VM is idle. When Windows 2000 is reporting 0% CPU util, Parallels consumes 25-60% of my Mac's CPU while doing NOTHING. This again is totally unacceptable.

    I also have an issue with the coherance mode. I don't really want my WIndows programs running seamlessly within the Mac, because of viruses etc. Too much focus on hacking specific hooks into WIndows while basic Parallels tools don't exist for Linux.

    Because of the CPU utilization problem, I've reverted back to build 1970 and have been pretty happy. I am also giving VMWare a more serious look as I'm in the beta. Good video support is more important than some of the new Parallels features.
     
    Last edited: Feb 12, 2007
  2. Resuna

    Resuna

    Messages:
    54
    Mac IS more secure "per se" than Windows.

    Yes it is.

    * No browser-desktop integration. Safari has some design problems, but it's nowhere like Internet Explorer.

    * Formal system call API instead of ad-hoc callgates. So there's two chances to catch illegal parameters to calls.

    * No legacy apps that break when the system is secured. Which is why Windows has many many more globally-writable system directories.

    * Services (daemons) run local-only by default. OSX with no firewall has comparable security to Windows with a firewall, and then you can add a firewall as well.

    * Traverse checking (even if it can be bypassed by aliases) on by default.No "filename guessing" to troll for writable files in other user accounts.

    * More I haven't thought of... this isn't 1997 any more, UNIX has dumped the "r" suite, telnetd, the old backdoors. Microsoft still refuses to back down on the security disaster originally advertised as "Active Desktop".
     
    Last edited: Feb 12, 2007
  3. dm3

    dm3

    Messages:
    46
    Digg it

    Thread pointer on digg
     
  4. Resuna

    Resuna

    Messages:
    54
    The real problem.

    There is no reason the "global share" needs to bypass UNIX permissions.

    In fact Parallels shouldn't be *able* to have that capability. The client application (the emulator) should drop privileges as soon as possible, and run with no more than normal user access. Why doesn't it?
     
  5. Resuna

    Resuna

    Messages:
    54
    No.

    When I am running in my user account, using Parallels, I should not be able to use Parallels to bypass local security even if I want to, unless I have an administrator password.

    Parallels is running as a "root shell". And you don't even need to "sudo" to activate it.

    Parallels needs to make its shell (the emulator) run under minimum required privilege, and no components that can be accessed by emulated software should have more privileges than the user they're running under.

    If they fix that, they can enable GFS without opening up new local security holes. If they don't, it doesn't matter whether you enable GFS or not... the hooks it uses are still available.
     
  6. TinGull

    TinGull

    Messages:
    4
    Please pardon my ignorance, but I can't find out how to turn off GFS...would someone mind pointing me to where I could do that? I've searched this forum, google, and the Parallels help but can't find anything.

    Thanks!
     
  7. dm3

    dm3

    Messages:
    46
    Wow. I didn't realize that they enable root access. Thats much worse than I thought. That is totally unacceptable and shows a scary lack of basic security knowledge.

    I prefer to install all my Mac applications within my userid so that those applications can't affect the Mac overall. Why does Parallels need to be installed as root/admin anyway?
     
  8. dm3

    dm3

    Messages:
    46
    Thie article describes how to disable it.
    http://digg.com/apple/How_to_close_a_backdoor_opened_by_Parallels_on_OS_X
     
  9. dkp

    dkp

    Messages:
    1,367
    The global share doesn't bypass Unix permissions - it provides to the VM access with the VM owner's priviledges. That is enough for a harvesting malware. And of course this extends to any mounted volumes as well.
     
  10. dkp

    dkp

    Messages:
    1,367
    You need to shut down your VM, edit the VM parameters in the Parallels tool, specifically under sharing, you would want to unselect Global Sharing. The global share will be gone with the next VM startup.
     
  11. dkp

    dkp

    Messages:
    1,367
    To my knowledge only the Parallels NAT daemon runs as root. The Parallels desktop runs as whom ever launches it. Any global share privileges are limited to that same user.
     
  12. dkp

    dkp

    Messages:
    1,367
    What leads you to believe this is true? Did you verify it?
     
  13. TinGull

    TinGull

    Messages:
    4
    Thank you! :)
     
  14. Resuna

    Resuna

    Messages:
    54
    My bad. I assumed that the people who wrote that it gave complete access to the drive meant that it gave complete access to the drive. Silly me.

    Indeed. Parallels doesn't protect you from a compromised Windows environment, and any resources visible from that environment are exposed. That's elementary.

    I agree, then, that making this capability off by default and providing a warning in the preferences where the "enable" box is would be enough to resolve this issue.
     
  15. dkp

    dkp

    Messages:
    1,367
    Granting yourself the leadership role in the way is a symptom of megalomania, among other things, and quite pointless. This topic has only just hit America's front page and I expect it will continue for a while longer with or without your input. Best it should continue here where misconceptions can be cleared up.
     
  16. drval

    drval

    Messages:
    490
    You are again looking directly into the mirror.

    Are there two perspectives -- as you said -- or is it only one "real truth" and the infidels oppose that truth?
     
  17. joem

    joem

    Messages:
    1,247
    The hypervisor has to run "under" all OS's directly on the hardware, so Parallels actually owns the computer and we depend on it to enforce reasonable constraints to keep the host and VMs separated. That they would even implement a global share scares me. It means malware can do anything I can do with my login without an admin password, and it makes me wonder what other holes are hidden in there for convenience in implementing "features". This is a trap Microsoft has fallen into (features first, security later) and is the primary reason, I suspect, that the virus score is Windows, tens of thousands, OSX, zero.

    Philosophy counts. It has broad influence on design and performance. Even in the earliest days of VM (the IBM OS from the '60s) virtual machines were totally isolated. IBM got it right. Parallels NEEDS to implement drag and drop without a program accessible global share.

    This would definitely be enough to make me move to VMWare if it does everything else I need.
     
  18. palter

    palter

    Messages:
    243
    Same here.

    For the record, I was a member of the Multics development team back in the early '80's. And I was a member of the team that finished hardening the system to get the first B2 security rating for a commercial operating system. While I'm not currently working in the security arena, I've been following it closely ever since...
     
  19. drval

    drval

    Messages:
    490
    What is your assessment of the relative contribution of Shared Networking, as opposed to other options?
     
  20. JollyRoger

    JollyRoger

    Messages:
    46

    here is mine

    Nat is good unless the implementation is flawed allowing an attacker to execute arbitrary code on the system. (which realistically is a very small risk as the attack surface will be relatively small compared to others available to an attacker {open services})

    But NAT isnt the solve all as many Firewall administrators will tell you. (how many apps do you know of that dont work so well with NAT?)
     

Share This Page