Could a hacked Windows virtual machine affect the host operating system?

[th0masp]

Hi, I'm running Windows 10 as a virtual machine via Parallels under macOS. This VM is currently only being used to run a proprietary messenger client and I'd like to disable Win Defender entirely as well as a bunch of other services to cut down on resource usage.

I'm not surfing the web nor am I reading my emails from within the VM, this is only for one messenger client. I may be adding other messengers depending on work requirements (if they lack a suitable macOS client). My question is how safe the VM can be expected to be without any firewall/virus scanner inside itself.

Just wondering in case this VM gets compromised in some way - is there any way for an infection (virus, ransomware or the like) to spread on the host? Or would it have to be an attack targeted at macOS and specifically written with Parallels in mind?

I would not care if the VM had to be torched in case of an infection: chat logs and media files are kept in the cloud anway.

 

[Lihp8270]

Highly unlikely. A piece of malware intended to infect or damage the Windows filesystems would be useless when placed in the Mac file system (ignoring that I believe the MacOS system files are typically immutable?)

You’d have to have malware is designed to infect a windows VM, exploit a flaw to break out of its VM box to the host, then exploit a MacOS flaw.

It just doesn’t exist.

 

[th0masp]

You’d have to have malware is designed to infect a windows VM, exploit a flaw to break out of its VM box to the host, then exploit a MacOS flaw.

Yes that's what I was assuming.

And with the main attack vector (?) of the user downloading and executing files from within Windows taken out of the equation I guess there's very little that could affect me either way.

Getting rid of numerous Windows background services now, kind of a heavy OS to deal with for my aging Macbook Pro. ?

 

[bobcomer]

It's definitely possible. There's a lot of communications between the host and a VM, especially if you have the tools/additions/integration installed in the VM, but even if you don't, there is a class of malware that target hosts from a VM. It's not easy, but it is doable. If your VM has access to the internet, have AV installed at the least.

 

[th0masp]

It's definitely possible. There's a lot of communications between the host and a VM, especially if you have the tools/additions/integration installed in the VM, but even if you don't, there is a class of malware that target hosts from a VM. It's not easy, but it is doable. If your VM has access to the internet, have AV installed at the least.

Yes, the Parallels integration is installed and in order for the messenger to function the VM does have (some) internet access.

How would this kind of malware be able to locate and access my VM? It's behind a router and cable modem on a laptop with an active (macOS) firewall.

 

[bobcomer]

Yes, the Parallels integration is installed and in order for the messenger to function the VM does have (some) internet access.

How would this kind of malware be able to locate and access my VM? It's behind a router and cable modem on a laptop with an active (macOS) firewall.

Whatever messenger you're using sounds to be the most vulnerable way, but I'd really have to see the VM itself and what's exactly running on it. There's not a problem for someone to find your laptop from the internet unless you have a public IP, but that doesn't mean something in the VM might not announce itself somewhere.

The chances are slim I agree, but assuming it's bullet proof is not right either. I pretty much just assume the whole machine is vulnerable, I stay safer that way. If you really want to lock it down more, ditch the parallels integration services and disable SMB. (anything the host and guest can see each other with)

 

[bogdanw]

Getting rid of numerous Windows background services now

I find optimize-windows-update.ps1 very useful, as it can “Actually turn off auto update” https://github.com/W4RH4WK/Debloat-Windows-10/
Other potentially useful apps
O&O ShutUp10 https://www.oo-software.com/en/shutup10
Privatezilla https://github.com/builtbybel/privatezilla

 

[th0masp]

Whatever messenger you're using sounds to be the most vulnerable way, but I'd really have to see the VM itself and what's exactly running on it. There's not a problem for someone to find your laptop from the internet unless you have a public IP, but that doesn't mean something in the VM might not announce itself somewhere.

The chances are slim I agree, but assuming it's bullet proof is not right either. I pretty much just assume the whole machine is vulnerable, I stay safer that way. If you really want to lock it down more, ditch the parallels integration services and disable SMB. (anything the host and guest can see each other with)

The messenger is an inhouse tool that a tech company I contract for mandates. I believe it's not in use anywhere else. It's a modern, frequently updated tool, not some old kludge but I don't know if that would make it more or less secure.
Apart from that it's vanilla Windows 10 for now.

If I were to take out the integration and SMB, I'd lose the ability to drag & drop from a macOS program window into the messenger as well as the ability to directly load and save to my Mac user folder, correct? If so, that's not really a realistic option, it would make using the messenger in a VM too cumbersome I'm afraid.

 

[th0masp]

I find optimize-windows-update.ps1 very useful, as it can “Actually turn off auto update” https://github.com/W4RH4WK/Debloat-Windows-10/
Other potentially useful apps
O&O ShutUp10 https://www.oo-software.com/en/shutup10
Privatezilla https://github.com/builtbybel/privatezilla

These are great links! Thanks I'll check these tools out.

 

[bobcomer]

The messenger is an inhouse tool that a tech company I contract for mandates. I believe it's not in use anywhere else. It's a modern, frequently updated tool, not some old kludge but I don't know if that would make it more or less secure.

That's most likely secure unless you have an enemy that has access to it too. The fact that it's not public accessible does wonders for security.

Apart from that it's vanilla Windows 10 for now.

I think I'd still run defender on it if I were you, it really doesn't take up much CPU. Most likely not needed until it is unfortunately. Also, the reason I said disable SMB and the integration components is there is a possibility of getting a virus over a LAN via that type of access. I can't disable SMB, but it's one of my primary duties is to make sure the whole LAN stays clean. We run 3rd party AV that I monitor closely.

If I were to take out the integration and SMB, I'd lose the ability to drag & drop from a macOS program window into the messenger as well as the ability to directly load and save to my Mac user folder, correct?

Yep, but it also means your Mac can infect your VM and your VM can infect the Mac. (and the rest of your LAN.) If you need it, you need it, but that just tells me you should run AV. I do in all my VM's that have any kind of access to the host or LAN. (on both the Mac and Windows hosts)