Before Months started to get this annoying update popup for updating my Parallel Desktop and I kept cancelling the update by clicking “Remind me Later” but the last time I was free and I thought lets see what will happen If I clicked install now and check what will happen after. it wasn’t my intention to really update the app I was carious of how to get rid of the alert without actually updating the software and that’s how it all started.
The Vulnerability Information as follows:
It will allow a remote attacker to give false and fake updates to the user remotely with a text of the attacker choice like which features are available on the app, and he can put malicious links as will to trick the user of clicking it and download entirely not related martial. And in the same time an attacker can supply the path of the application he wish to download into the user machine if the user choose to click on “update now” button. This of course will allow the attacker to gain access to the user machine with higher privileges. usually it’s root. This attack can take place as Man in the middle aka MITM or a local attacker can perform it to get higher access on the same machine. Tried to inform the company with no single reply from there side. I will not release the exploit code until the company fixes the vulnerability since we don’t need more attacks. What happened in the first of 2020 is more than enough 🙂
The proof of concept “PoC”