Two different exploits for an unpatched Parallels Desktop privilege elevation vulnerability have been publicly disclosed, allowing users to gain root access on impacted Mac devices.
Parallels Desktop is a virtualization software that allows Mac users to run Windows, Linux, and other operating systems alongside macOS. It is very popular among developers, businesses, and casual users who need Windows applications on their Macs without rebooting.
Security researcher Mickey Jin published the exploits last week, demonstrating a bypass of the vendor's fixes for
CVE-2024-34331, a privilege elevation flaw fixed in September.
That flaw, first discovered in May 2024
by Mykola Grymalyuk, stemmed from a lack of code signature verification in Parallels Desktop for Mac.
Jin says he released the exploits for the zero-day patch bypass after the developer allegedly left it unfixed for over seven months.
"Given that the vendor has left this vulnerability unaddressed for over seven months—despite prior disclosure—I have chosen to publicly disclose this 0-day exploit," explains Jin in a
technical writeup.
"My goal is to raise awareness and urge users to mitigate risks proactively, as attackers could leverage this flaw in the wild."
