The makers of Parallels Desktop have released a workaround for a high-severity privilege escalation vulnerability affecting its Parallels Desktop 16 for Mac software and all older versions. The researchers made mitigation recommendations five months after the vulnerability was first discovered in April.
Parallels Desktop, now owned by private equity giant KKR, currently has 7 million users, according to the company. It enables Mac users to run Windows, Linux and other operating systems on their macOS.
The vulnerability allows malware running in Parallels virtual machines (VMs) to access macOS files shared in the software’s default configuration. The software maker said the suggested fixes would need to be performed manually by end users and could be “inconvenient” for some, while also degrading product performance.
Details of the vulnerability were first widely disclosed in a security advisory on Wednesday. The vulnerability (CVE-2021-34864) is caused by improper access control in Parallels’ WinAppHelper component. According to Parallels, the vulnerability is related to the software’s Parallels Tools, a proxy for communication between the host macOS and the guest operating system.
An easy-to-exploit vulnerability
“This vulnerability is due to a lack of proper access controls. An attacker could exploit this vulnerability to escalate privileges and execute arbitrary code in the context of a hypervisor,” said another security advisory published Wednesday.
The Common Vulnerability Scoring System version 3.0 rated the severity of this vulnerability as high (8.8). The bulletin also warns that the level of sophistication required for the exploit is “low”.
“By default, Parallels Desktop shares files and folders between the Mac and the VM, so users can easily open macOS files and save documents to the Mac from applications running in the virtual machine,” Parallels explained. “This The feature exposes the user home folder to the VM. This folder may contain configuration files that malware can access, caches from different applications, etc.”
Parallels recommends that users mitigate the vulnerability by reconfiguring the software or upgrading to the latest version (Parallels Desktop 17 for Mac, released on August 10).
According to the vulnerability’s summary description: “Parallels Desktop 17 for Mac and newer are not affected. By default, the entire home folder is no longer shared with the virtual machine, only selected folders such as Desktop, Documents, download etc.”
The company added: “This vulnerability allows a local malicious user to elevate privileges on an affected Parallels Desktop installation. An attacker must first gain the ability to execute low-privilege code on a target customer’s system before exploiting this vulnerability.”
Disclosure Schedule
The vulnerability was first discovered by security researchers Sunjoo Park and Jack Dates during Trend Micro’s Pawn2Own Austin event on April 8. According to the organizers of the event, the researchers received $40,000 each for their efforts.
On August 10, Parallels published information about the vulnerability in its knowledge base, titled “Mitigation of ZDI-CAN-13543 in Parallels Desktop 16 and earlier.” The post describes their findings in April and the mitigations users need to take to protect themselves. On Wednesday, several security alerts issued the vulnerability’s identification number (CVE-2021-34864) and rated it as high-severity.
At worst, malware or threat actors compromise or escape a virtual instance of Windows, infecting the system. Parallel did not respond to requests for comment for this article.
inconvenient fix
To mitigate the vulnerability, Parallels Desktop 16 for Mac users (and other older version users) have several options. The first option is to upgrade to Parallels Desktop 17 for Mac, which does not have this vulnerability. It’s unclear if affected customers will be required to pay a one-time $50 upgrade fee for the Standard Edition to mitigate the flaw with the upgrade.
For customers running Parallels Desktop 16 or earlier software, the company said the fixes available to them will “reduce the functionality of the software” and cause “inconveniences” such as file duplication when sharing documents across virtual machines and host macOS.
“If you do not plan to run untrusted code in a VM, it is recommended to follow common security measures.” “If you are running untrusted code in a VM and want to isolate the VM from the Mac, here are some things you can do .”
According to Parallels, these options include:
1. Disable shared folders as described in KB 6912. The Shared Profile feature will also be disabled and you will no longer be able to open Mac files in the VM or save files to the Mac. Click KB 6912 for more information.
2. Alternatively, isolate the VM from the Mac as described in KB 112942. After quarantine, folders, files, applications, and external drives are not shared between the two operating systems. Normally, the VM cannot access any information on the Mac. Isolating virtual machines provides the highest level of security.
While the above measures alleviate security concerns, it also removes one of Parallels’ selling points: “Seamlessly move and share content between Mac and Windows.”
It is unclear whether the vulnerability can be mitigated for macOS users who configure their systems to isolate the VM guest from the host OS.
Researchers lean towards Parallels
While Parallels Desktop for Mac is not marketed as a cybersecurity research tool, many websites recommend this type of use case.
Parallels is just one of many virtual machine options for macOS users to run alternate operating systems. Others include Apple’s own Boot Camp feature, VirtualBox, and VMWare for macOS.
More recently, interest in Parallels has grown as Boot Camp has been removed from Apple’s new ARM-based Macs, which contain the M1 chip. Installing Windows 10 on an M1 Mac requires an ARM copy of Microsoft’s operating system.
Apple’s senior vice president of software engineering, Craig Federighi, said on the Daring Fireball podcast that Apple doesn’t plan to support Boot Camp on ARM-based Macs in the future.
Parallels took aim at this opportunity, releasing the Parallels Desktop 16 for Mac update on April 14, which supports Mac computers with the Apple M1 chip.
The Links: PS11034 LQ150X1LG71
Written By
“Current control is the key to improving the performance of the motor. How to accurately measure the strength of the current requires an accurate current sensor. The current sensor using TMR technology will be one of the ideal choices for related applications. This article will introduce you the characteristics of TMR technology, the types of current sensors, and the product characteristics ...
I believe that the fruit fans who have continued to pay attention to Mingmei Infinite should all know that the iPhone 12 launched by Apple last year has been enthusiastically sought after by consumers around the world, and sales are also rising. According to the la...
Due to the trade dispute between Japan and South Korea, the Japanese government decided in early July to ban the export of three important semiconductor and Display Panel materials to South Korea, forcing South Korean companies to embark on a path of independence. ...
With the increasing pressure on environmental protection, hydrogen energy has high hopes as a clean, efficient and safe secondary energy. Especially in the past two years, both national and local governments have frequently mentioned “hydrogen energy” i...