Aral Balkan

I am testing out the new drag and drop feature in Parallels and I drag a SWF file from OS X to ASV running in Windows under Parallels in coherence mode. Lo and behold, ASV opens the SWF file -- all is well! Or is it?

I note that the path to the SWF file begins with \\.PSF\.Mac. Being the inquisitive type, I fire up Windows Explorer and type in that path to the address bar. Up pops the root folder of my OS X boot partition. My first thought is: Oh, how cool, Windows has full access to my hard drive. My second thought is: Oh, crap, Windows has full access to my hard drive!

To test, I create a file on the root in Windows Explorer and it lets me. I erase it and, again, it lets me. I delete a file from my user's Desktop folder and, again, it does it.

One of the reasons I love Parallels is because I can run Windows in a tightly-controlled safe little space that's quarantined from the rest of my computer. I truly believe Windows likes this better too. It's a less stressful, simpler life. But this feature shatters all that. What if my Windows installation gets a virus? (I run Trend Micro PC-cillin on it and my firewall is always up, etc., but zero-day viruses can happen.) Instead of being confined to the file that is the Windows virtual machine, the virus can corrupt my OS X installation if it is aware of Parallels and writes to (or deletes files from) \\.PSF\.Mac. Not good.

I Google this (as I do nearly everything) and I find that the topic has already been debated (to death and beyond) on the Parallels forums. From the responses in that never-ending thread, it doesn't look like the Parallels team sees this as a security issue. I certainly do. Drag and drop between a guest and host machine is wonderful but I don't believe that it's worth the security risks of opening up the host machine's boot drive to the guest.

Parallels has an option for disabling this feature. To deactivate the global share, select your VM and click on the Configuration link. In the Configuration Editor, select Shared Folders and disable the checkbox next to the Enable global sharing for drag-and-drop option.

Comments

• The global share requirement was explained by "serv" from Parallels here: http://forum.parallels.com/post41289-49.html I've not tried it as it isn't anything I would need, but others will certainly appreciate the convenience. BTW, your comment page does not accept legitimate mail addresses.

  by dkp on 2007-02-12 00:57:17

• no matter what you do or how you do it, windows is sure to f*ck it all up.

  by dave on 2007-02-06 01:24:29

• Thanks Aral.. I just update my Parallels copy in to the new beta, i made a few drag and drops but i didn't notice that! This is serius because i really want windows to be quarantined, i just want them to be a small file somewhere in my hdd. Windows has full access to a mac os x hdd?? Jesus.. Ok i don't know anythink about virtual stuff but i believe Virtual Pc in which you could do drag and drop didn't cause that.. And.." it doesn’t look like the Parallels team sees this as a security issue"????

  by Savvas on 2007-02-06 09:08:03

• Such a crap, visit thiz website get sane. Get the new one, get the right one. C'mon, Mac works always and everywhere! Believe it or not but get Jesus out of that discussion! Worship me or die!

  by Great KAT on 2007-02-06 20:47:31

• Hi Aral.. Drag and drop works fine for me with the "Enable global sharing for drag-and-drop option" disabled from os X to XP and XP to os X. I drew an image from os X desktop to flash 8 IDE in XP, the image was imported fine but i also found a copy of the image on windows desktop..

  by Savvas on 2007-02-08 13:48:50

• Hmm -- well, that's good, I guess. What do you get if you browse to \\.PSF\.Mac? With that option turned off, I don't see the Mac's HD.

  by aral on 2007-02-09 01:00:14

• Neither do i. It asks me to connect to "my machine" as Guest.. Aren't you able to drag and drop?

  by Savvas on 2007-02-09 08:53:29

• Welcome to the wonderful world of Windows. Jump in the pool, you get wet. You don't want to get wet -- AT ALL -- then don't jump in the pool. For me, I've been working with Windows, Mac, Unix etc for quite a while now and am very comfortable in switching amongst them so Parallels' transparent interoperability is wonderful. i just remember it's Windows and partly that involves remembering that the vast majority of OS implementations in the world actually ARE Windows. So there are benefits to it, despite the risks.

  by val brown on 2007-02-10 19:20:34

• Hi Savvas, I just checked and I can still drag and drop. Not entirely sure what d&d functionality I've lost. Turning this option off seems to be a good idea in general.

  by aral on 2007-02-11 01:04:13

• I couldn't agree more Aral. My current problem is that some of win apps(Flash, Flex Builder, IE, Acrobat) when running in XP don't show up on dock and i can't keep them there in order to open them directly.. (you select the application you want in the dock, control-click and select Add to favorites from the context menu.) Any ideas?

  by Savvas on 2007-02-11 14:14:31

• Hi dkp (not the one from the forums, I'm assuming). I read serv's response but don't find it satisfactory. Later in the thread he says that that it's his personal opinion and shouldn't be taken as the official response from Parallels. When you disable the global share, it's been my experience that you can still cut and paste files so, at least for me, the additional convenience is not worth the security risk. I agree with dkp (on the forums) that security should be the primary consideration here and that virtual machines should be sandboxed from the host machine. Regarding the email issue -- it's the first time I've heard of it. If you email me (my first name at the name of this domain), I'll look into it with your email address and share the fix, once I have it, with the k2 people.

  by aral on 2007-02-12 10:40:43

• [...] From Aral Balkan’s post Parallels Security Issue? : [...]

  by Pauline McNamara @ NTE » Blog Archive » Possible security issue with Parallels on 2007-02-13 10:49:11

• Actually, I am the same dkp. Anyway, email addresses of the form username site@blablabla.com will fail. The site component is the apparent problem. Plus'ing an email name is a means of tracking where spammers find your address. Everything from the to but not including the @ are ignored by the mail delivery systems but it should be preserved. I also did not like serv's response and said as much in the forum. The good news is with the build 3170 RC3 release the default is to disable the global share. It still seems like a lame way to provide the functionality but the 'high astonishment factor', to quote Mike Cowlishaw, is gone.

  by dkp on 2007-02-16 19:59:19

• [...] Possible security issue with Parallels February 13, 2007 at 11:49 am | In tech notes and tools | Tags: mac, parallels From Aral Balkan’s post Parallels Security Issue? : [...]

  by Possible security issue with Parallels « noah little on 2007-10-08 11:17:35

• I doubleclicked a *.sql file and it opened with Notepad in Windows inside Parallels. Then I was absolutely shocked being able to see ALL the files of my Mac - even the system files. So made some searches and found this post and read the statement of the Paralles worker. Then I decided to do some tests. Of course I love my TimeMachine saving my files and bring it back in case of failure. Now, I copied some files from /bin and other important folders to the Windows disk. I could READ them all and SAVE over the copies, but NOT the originals on my Mac. My conclusion: It is quite safe and in case of Trojans only documents could be corrupted. Security is also belonging to the user - so don't install any shit! If it installs a virus (is there any known??!) to my Mac I need to start the "app" by myself and Finder notes me when I first start an app I never did before and asks me to trust the source. At least then, it's my task to use my brain.

  by Markus Zeller on 2008-10-24 12:00:41