Security Risk in Parallels (via Washington Post’s Security Fix)
I was reading through the latest blog postings and there was an interesting article on Security Fix, regarding Brian Krebs' installation and use of Parallels, popular virtual machine technology available for OS X, Windows and Linux. Apparently, the default for the software is to allow the VM full access (read, write and delete) the the host file system. This introduces a interesting security risk. Other VM technology that offers this technology provides it in a "default off" state... Allowing the user to knowingly turn it on and create the risk on their own. The fact that this is "default on" is dangerous to users that don't know about it. Some Mac users claim they use a Mac because it is, let's not say immune but, unlikely to get a virus... Others have also implied that they use Parallels because they visit some websites that just don't function properly outside of IE... These users, perhaps unknowingly, are now susceptible to additional threats... threats that wouldn't otherwise be prevalent on their systems. Now it can, and will, be argued that many Windows viruses aren't going to be threats to Mac users... This is true... but viruses are quite often malicious and nothing else... Viruses that scavenge email addresses from text files will now parse the entire OS X file system and since anything present in /Volumes can, apparently (I don't run parallels myself), be accessed this means that office file shares could also be at risk, home file shares at risk. How about viruses designed to corrupt Word or Excel documents... It sounds like it's time for Parallels to listen to it's already vocal users and change this feature to "default off". If the feature is left "default on", hopefully users will continue to comment to Parallels staff. Additionally, let's hope they include a nice *BIG* warning about this, we don't want people to think they're getting a completely secure sandbox environment when they aren't.
Now I'm off to address some errors in some of the comments in that article... just wanted to point this issue out to non-readers of Security Fix.