Parallels security issue?

Parallels Windows Root

I am testing out the new drag and drop feature in Parallels and I drag a SWF file from OS X to ASV running in Windows under Parallels in coherence mode. Lo and behold, ASV opens the SWF file -- all is well! Or is it?

I note that the path to the SWF file begins with \\.PSF\.Mac. Being the inquisitive type, I fire up Windows Explorer and type in that path to the address bar. Up pops the root folder of my OS X boot partition. My first thought is: Oh, how cool, Windows has full access to my hard drive. My second thought is: Oh, crap, Windows has full access to my hard drive!

To test, I create a file on the root in Windows Explorer and it lets me. I erase it and, again, it lets me. I delete a file from my user's Desktop folder and, again, it does it.

One of the reasons I love Parallels is because I can run Windows in a tightly-controlled safe little space that's quarantined from the rest of my computer. I truly believe Windows likes this better too. It's a less stressful, simpler life. But this feature shatters all that. What if my Windows installation gets a virus? (I run Trend Micro PC-cillin on it and my firewall is always up, etc., but zero-day viruses can happen.) Instead of being confined to the file that is the Windows virtual machine, the virus can corrupt my OS X installation if it is aware of Parallels and writes to (or deletes files from) \\.PSF\.Mac. Not good.

I Google this (as I do nearly everything) and I find that the topic has already been debated (to death and beyond) on the Parallels forums. From the responses in that never-ending thread, it doesn't look like the Parallels team sees this as a security issue. I certainly do. Drag and drop between a guest and host machine is wonderful but I don't believe that it's worth the security risks of opening up the host machine's boot drive to the guest.

Parallels has an option for disabling this feature. To deactivate the global share, select your VM and click on the Configuration link. In the Configuration Editor, select Shared Folders and disable the checkbox next to the Enable global sharing for drag-and-drop option.

Comments