A critical zero-day flaw in Parallels Desktop for macOS has put millions of users at risk. Security researcher Mickey Jin discovered the vulnerability, which could allow attackers to gain complete root access to a Mac system. The flaw bypasses a previous patch, and the vendor’s seven-month delay in addressing the issue has sparked significant concern and criticism from the security community. This situation highlights a major security gap for both individual and enterprise users.
How the Patch Bypass Exploit Works
The discovered vulnerability isn’t an entirely new bug but rather a clever method to sidestep a previous security fix. This patch bypass effectively reopens the door for attackers, rendering the earlier solution useless. The exploit takes advantage of a weakness in a repackaging script that Parallels uses for macOS installers.
Security specialist Mickey Jin identified two primary methods attackers could use to exploit this flaw. These techniques target a brief window of opportunity in the software’s validation process.
- One method involves a time-of-check to time-of-use (TOCTOU) attack, which exploits the tiny gap between when the software verifies a file and when it actually uses it.
- Another approach uses the injection of a malicious dynamic library to execute unauthorized code.
This bypass allows for unauthorized changes to be made, ultimately giving an attacker the ability to gain root-level control over the host Mac system.
Vendor’s Delayed Response Sparks Outcry
The controversy surrounding the Parallels Desktop flaw has been fueled by the vendor’s slow response. Mickey Jin first reported the vulnerability to the company in July 2024 but was met with prolonged silence.
This lack of timely action, spanning over seven months, has drawn sharp criticism from cybersecurity experts. Many in the community argue that such delays leave countless users unnecessarily exposed to potential cyberattacks and undermine trust in the company’s commitment to security.
Alludo, the parent company of Parallels, eventually acknowledged the communication breakdown. They admitted that internal mix-ups were to blame for the missed messages and requested that Jin temporarily take down his public disclosure until a patch could be developed and released.
A Major Security Risk for Mac Users and Organizations
With an estimated user base of 7 million, the implications of this vulnerability are enormous. The ability for an attacker to gain root access is one of the most severe security threats, as it provides complete control over a system.
For businesses that rely on Parallels Desktop for virtualization, the flaw presents a significant risk. It forces a reevaluation of their security measures and risk management strategies. Companies now face the potential for severe operational disruptions and data breaches if the exploit is used against them.
The incident also casts a shadow over the trustworthiness of widely used software tools and highlights the critical need for prompt and transparent communication between security researchers and vendors.
Timeline of the Parallels Vulnerability
The sequence of events clearly illustrates the significant delay between the initial report and the vendor’s public acknowledgment. This chronology has raised questions about the company’s internal processes for handling critical security disclosures.
Below is a summary of the key events:
| Event | Date / Timeframe |
| Initial Vulnerability Report to Vendor | July 2024 |
| Period of No Vendor Response | Over 7 Months |
| Researcher’s Public Disclosure | Following the delay |
| Vendor’s Public Acknowledgment | After public disclosure |
Pressure is now mounting on Alludo and Parallels to issue a comprehensive fix swiftly. Security professionals and investors are watching closely to see how the company will handle the fallout and what steps it will take to prevent similar incidents in the future.
