As a daily user of Parallels Desktop for Mac due to work, I was surprised to know about this unpatched flaw as reported by Bleeping Computer yesterday Feb 24. If you are an user, take extra measures until there is a new patch issued.
A worrying report but the article does not explain how to “urge users to mitigate risks proactively”. The only prevention seems to be to delete Parallels until a fix is released. With all the things going on in the background I suspect that simply not running Parallels is insufficient protection.
Maybe use alternative virtualisation software?
I’m not a Parallels user, so forgive me if I’ve got something completely wrong.
After reading the linked article, it appears that Parallels has some kind of easy-install feature where you can drag/drop a macOS installer to it, and it will proceed to boot its embedded installer, for easy setup of a VM. And it is this feature that has the privilege-escalation vulnerability.
If so, then this is really only a threat to public systems. An attacker could bring a fake/corrupt installer and use this mechanism to install it. But I’d say that if you’re managing such a system, you probably want to block all installers, including legitimate ones. But maybe Parallels doesn’t let you do that?
On your own Mac, just don’t use this feature until/unless you have independently verified the authenticity of the installer you’re trying to install.
Or is it possible to exploit this without user interaction? For example, is there a magic folder where you can copy installers for auto-installation the next time Parallels starts? If there is, then the feature itself sounds like a disaster waiting to happen.
2 Likes
Yes I would like to know this also
If no one has physical access to your machine and you don’t run random scripts and unofficial installers, I’m not sure there is much of a risk.
1 Like
Today Parallels released an update that seems to close this issue. I just installed it on my Mac.
2 Likes
We have the update covered now. Sounds like it’s just a matter of updating. It affects only Intel-based Macs.
1 Like