WINE Still Vulnerable to WMF Exploit

blast3r wrote to mention a ZDNet Blog posting by George Ou, stating that WINE is still vulnerable to the WMF flaw. From the article: "All applications launched inside Wine, Cedega, or Cross-Over Office are technically still exploitable. Wine runs on most x86 platforms, including Linux and the various BSDs. The surprising part about finding this flaw in Wine is that they implemented the entire Meta File API without realizing that this could be a security issue. Exploiting a Windows application running inside Wine depends on that application calling the vulnerable function with malicious data."

Some Cheese with that Wine?

[oc-beta]

I know that you are still exploitable, and that would make anyone whine, i mean, Wine.

Re:Some Cheese with that Wine?

[jacquesm]

yes, please... I't really annoying to see that you have successfully implemented a version of someone else's security holes.

backwards compatibility only goes so far I guess.

Finally!

[A+beautiful+mind]

We can say now that Linux is truly ready for desktop because it catched up to Windows in these important features aswell!

Re:Finally!

[Overly+Critical+Guy]

Except for a grammar catcher!

Re:Finally!

[norite]

Uh, in case you hadn't noticed, he was joking, you dork....

I had no idea...

[MichaelSmith]

...that wine provided so much of the normal windows user experience. I must start recommending it to my friends

Re:I had no idea...

> ...that wine provided so much of the normal windows user experience. I must start recommending it to my friends

You've misunderstood. What's being said is that you have to be drunk to use Windows. ;-)

So...

[ImaLamer]

Should I be worried about my Fake Windows security or am I at no risk as long as I don't run "sol.exe" as root?

How far can someone get by working over WINE with this exploit?

Re:So...

[Craig+Davison]

You don't need to be root to send out 1000 spams/minute.

Re:So...

[petermgreen]

most likely they can get whatever privilages wine is running with. so in a normal linux desktop that would probablly mean the users data and normal user level network access (so it could hit any non-secured rescourses on the lan, send spam etc but couldn't mess arround with low level packets or listen on a privilaged port).

and if the user ever uses su/unrestricted sudo then they could get root by laying a trap.

I'm confused as to why that matters?

[MikeSty]

Just ... uhh .. disable it?

Uh, oh . . . somebody had better notify CERT.

[mmell]

So that they can add it to their already lengthy list of known LINUX exploits!

Re:Uh, oh . . . somebody had better notify CERT.

[Phillup]

Once for each version and vendor... (even tho it is one exploit)

Re:Uh, oh . . . somebody had better notify CERT.

[rvw]

Embrace and destroy! This must be better than throwing chairs!

not really a bug...

[farib]

Just a feature, as usual !

Kudos to WINE

[DrXym]

For implementing Win32 so closely that you can actually be infected with Win32 exploits. I suspect that the effects wouldn't be as bad as the real thing though.

On a serious note, I wonder what this means for emulation projects. If you recognize an exploit in the original environment (as possibly someone did when writing a WMF parser for WINE), do you implement the exploit in your emulator or do you introduce a potential incompatibility?

Re:Kudos to WINE

[cnettel]

You add a configuration flag, defaulting it to OFF.

I would also guess that it's quite uncommon that the same exploting code actually works, as many addresses will be different from a normal XP system. The same vector, i.e. a malformed WMF file resuling in a call to the abort proc of choice, is still possible, though.

Re:Kudos to WINE

[Afecks]

On a serious note, I wonder what this means for emulation projects. If you recognize an exploit in the original environment (as possibly someone did when writing a WMF parser for WINE), do you implement the exploit in your emulator or do you introduce a potential incompatibility?

WINE IS NOT AN EMULATOR!

Re:Kudos to WINE

[MBGMorden]

Yes it is, regardless of what the authors call it.

Sure it's an "implementation" of the Windows API. I could just as easy call any other emulator an "implementation" of that hardware.

It is one piece of software that is designed to mimmick the behaviour of another piece of hardware or software in order to achieve the same functionality. That my boy, is an emulator.

Re:Kudos to WINE

[Fordiman]

It's an API simulation layer. An emulator does the WHOLE environment. Wine does not do this, or you'd be able to use it under ppc linux.

Meanwhile, this tells me one thing: Windows used an OSS vector graphics lib to implement WMF, as did wine. They're both exploitable under the same lib.

Re:Kudos to WINE

[AKAImBatman]

It is one piece of software that is designed to mimmick the behaviour of another piece of hardware or software in order to achieve the same functionality. That my boy, is an emulator.

Too bad that doesn't describe WINE. WINE is a run-time linker with a set of bundled libraries designed to be API compatible with the core Windows libraries. Absolutely NO emulation is happening.

Now there is a WINE for OS X project going on that uses QEmu (or was it bochs? I forget) to do actual emulation of the x86 instruction set, but that's a completely separate project from WINE. QED.

Re:Kudos to WINE

[Quantam]

What I want to know is whether Wine is vulnerable to this design flaw that allows hardware enforced data execution protection to be remotely disabled by a clever buffer overflow (one that injects no code of its own, so cannot be prevented by DEP). I should mention that I submitted this story to Slashdot, but it was rejected.

Re:Kudos to WINE

[Rakshasa+Taisab]

And GNU is Not Unix...

Re:Kudos to WINE

[DavidTC]

That logic is crazy. That makes Perl on Windows a 'perl emulator', or Gnome libraries on Windows a 'Gnome emulator'.

An emulator is a replimentation, but it is not a mere reimplimentation of something. They are reimplimentations at different levels. Normally it's with parts of hardware mimicked by software.

Wine is at basically the same level as the original Windows...it's a bunch of libraries that have functions in them. These libraries do stuff, and sometimes talk to the OS. (And, in the case of Wine, X.)

There are a few parts of it where you could argue there is 'emulating' going on, where the software doesn't actually talk to any hardware, it just claims to, but wine is not itself an emulator, even if small parts are.

1) Whether there is anything beside that that could legitimately be called an emulator is an interesting question.

Re:Kudos to WINE

[Richard_at_work]

Some definitions of 'emulation':

• Dictionary.com:
  1 Effort or ambition to equal or surpass another. 2 Imitation of another.
  
  
• Oxford Dictionary:
  verb try to equal or surpass, typically by imitation.
  
  
• Cambridbge Dictionary:
  to copy something achieved by someone else and try to do it as well as they have
  
  
• Merriam-Webster:
  3 a : IMITATION b : the use of or technique of using an emulator
  
  • and for 'emulator':
    1 : one that emulates 2 : hardware or software that permits programs written for one computer to be run on another usually newer computer

Personally, WINE trys to equal or surpass Win32, especially by imitation. WINE copies something achieved by someone else and trys to do it as well as they have. WINE is software that permits programs written for one computer to be run on another computer.

WINE fits all of those criteria, and can be called an emulator.

Re:Kudos to WINE

[truthsearch]

"a set of bundled libraries designed to be API compatible"

"designed to mimmick the behaviour of another piece of hardware or software in order to achieve the same functionality"

What's the difference?

Aren't the libraries bundled with WINE written to mimmick the responses of the equivalent Windows APIs? Sounds like emulation to me.

Re:Kudos to WINE

[IamTheRealMike]

FWIW I've spent several years as a Wine developer, and I definitely consider it to be emulation.

That said, this story is just a lot of scaremongering from ZDNet. Sure, you could be hacked through this if you run IE in Wine and use it as a general web browser (which I doubt anybody does), but the damage would be limited to the virtual Windows environment which can be blown away and reset in 20 seconds. It's not like the reinstall from scratch job a real Windows would require. Wine also ignores any startup entries software may install.

Still, it should be fixed, probably in the same way that MS did it. And in fact Marcus has already posted a patch that would do this, so I expect it'll be fixed soon enough.

Re:Kudos to WINE

[RonnyJ]

WINE IS NOT AN EMULATOR!

I hear quite often how WINE is merely an implementation of the Win32 APIs, etc, but this begs one question:

If Microsoft made some error in implementing their own Win32 API, i.e. not to the correct specification, would the WINE developers implement the Win32 API as it 'should be' (thus breaking applications that use it), or would they 'emulate' the broken code? I have a distinct feeling that it'd be the latter.

Re:Kudos to WINE

[Eideewt]

Ooh, you have dictionaries. Here's the thing: a regular dictionary isn't always a reliable source when you're defining technical terms.

Re:Kudos to WINE

[minus_273]

you know if you just accepted that wine emulates windows but not x86, there would be no argument.

Re:Kudos to WINE

[TubeSteak]

a regular dictionary isn't always a reliable source when you're defining technical terms.

Answers.com does a pretty good job of defining technical terms
http://www.answers.com/snafu

Re:Kudos to WINE

[AJWM]

If Microsoft made some error in implementing their own Win32 API, i.e. not to the correct specification,

According to Microsoft, if such a situation were to arise, the specification would be in error. Where differences exist between Microsoft's documentation and Microsoft's implementation, the implementation is correct. (At least in released code.)

Re:Kudos to WINE

This doesn't beg a question at all. It brings up a question. Idiot.

Re:Kudos to WINE

[ajs318]

Begging a question is bringing up a question!

Re:Kudos to WINE

It is one piece of software that is designed to mimmick the behaviour of another piece of hardware or software in order to achieve the same functionality. That my boy, is an emulator.

  So linux is a unix emulator? w00t! I R EMUALATNIG J00N1X!!!!1!
I'm glad the word "emulator" doesn't mean anything specific anymore, I feel so much more 1337 that way. Where do I download some d3b14n r0mz?

Re:Kudos to WINE

This is the stupidest post I've seen in my entire life. "If you just agree with me, there'd be no argument." Obviously, jackass.

Re:Kudos to WINE

[say]

Windows and WINE are both implementations of the Win32 API. So by that standard, Windows would also be an emulator. That certainly doesn't make sense. If you make a dish in the same way as a chef on TV, you would be the cook who made that dish, not a person emulating the cook who made the same dish somewhere else.

Re:Kudos to WINE

[jsight]

If Microsoft made some error in implementing their own Win32 API, i.e. not to the correct specification, would the WINE developers implement the Win32 API as it 'should be' (thus breaking applications that use it), or would they 'emulate' the broken code? I have a distinct feeling that it'd be the latter.

Yes... Wine's approach to compatibility is to be "bug for bug" compatible. This means that Wine would reimplement the bug.

Technically in the case of security issues, they may not always do this, though.

Re:Kudos to WINE

[NoMercy]

Technically, emulation is going on, it's API emulation, not CPU instruction emulation though. So in one sense W.I.N.E. is true, in the other it's not... which probably makes it a dual-meaning, self-refrencing.. oh I give up.

Re:Kudos to WINE

Begging a question is a logical fallacy, not bringing up a question, presenting a question, or questioning a question, or being interrogated. In fact, Begging The Question has nothing to do with a query of any kind, and it especially has nothing to do with queers (except for when people use the term incorrectly, in which case calling said person queer is certianly acceptible!) Begging the question is a claim in which the proof for the claim exists.

If I were to say that begging the question is proof that begging the question means what I say it means, I would indeed be begging the question, and so that's what I'm doing. It's not my fault that someone gave this action such a stupid name, but so it stands. Now get off of it, you goddamned queer! Goddamnit!

Re:Kudos to WINE

[Pete]

ajs318:

Begging a question is bringing up a question!

Begging for a question, perhaps. But begging the question is another thing.

You're welcome. :-)

Re:Kudos to WINE

[Dr.+Evil]

Yep.... or... I have to agree. At the time that WINE was starting, emulation was a big deal, there were a few apps out there like Soft PC or Executor and they were as slow as mud. It was important to distinguish it from those lost causes.

Now I don't think it would mislead anyone to call it an emulator, even though it isn't emulating the CPU instruction set, but is instead emulating the API.

Re:Kudos to WINE

[Minna+Kirai]

An emulator is a replimentation, but it is not a mere reimplimentation of something. They are reimplimentations at different levels.

Funny how that is nowhere in the definition of "emulator", either in standard English, or the Computer Science / Software Engineering specialities.

So, you whole position depends on a factoid summoned from your personal authority...

If Wine weren't emulating Microsoft Windows, then whenever Windows was found to have a bug not mandated by Microsoft's published specifications, they wouldn't go ahead and copy it.

Normally it's with parts of hardware mimicked by software.

So what you're saying is that a "software emulator" is by definition impossible, and that "hardware emulator" is a redundant phrase. Alrighty then.

Re:Kudos to WINE

[Minna+Kirai]

a regular dictionary isn't always a reliable source when you're defining technical terms.

In the technical terminology of Computer Science, an emulator is some system which intentionally behaves like some other system. From a technical perspective, it doesn't matter at all if you are emulating hardware or software... conceptually, it's all the same thing.

The people who argue "Wine is not an emulator" are incorrectly using "emulator" as an abbreviation "hardware emulator", since that was the first place they heard of "emulator" programs.

That's similar to how some people act like "console" means a video-game machine, when really there are many other kinds of consoles.

Re:Kudos to WINE

[Mancat]

The WMF format has been around quite a while, since Windows 3.0 IIRC. I'm not saying it's not possible, but not too likely. I don't know how many open-source vector graphics libraries existed around 1990.

Re:Kudos to WINE

"Windows used an OSS vector graphics lib to implement WMF, as did wine"

Bullshit. No "vector graphics" lib is used to implement WMF let alone OSS. It's more like a list of "Draw a rectangle there", "Blit this surface to that" calls.

Re:Kudos to WINE

[Johan+Palmqvist]

If Wine emulates anything at all it's probably just a small program loader, a few libraries or even less. That's far from emulating an operating system. The Win32 applications, IMHO, actually executes as native Linux binaries but they're partly using Win32 API-compatible libraries.

It can be compared to Cygwin which is a bunch of GNU-stuff ported/recompiled for Win32 by using a Windows-native POSIX-library to fill in the gaps in Windows own API's. It's just a DLL but I would NEVER EVER call it a Linux emulator.

Re:Kudos to WINE

[Richard_at_work]

So essentially you are rejecting all definitions that fail to meet your own requirements. Nice.

Re:Kudos to WINE

[Elektroschock]

Wine has several problems which inhibit it to take off: * it is managed in an intransparent and autocratic way lead developer have no management skills but do the stuff themselves. * no real communication to the community about what is going on * weird rocket science * is is not properly modularised * no lobbying position of wine to force MS to lay open more interfaces while MS is grilled by the authorities. * no proper business relations and financial ressources, no real fundraising I am sure there are people intrested in reverse engineering windows but the wine project is not very open. So too few people take control of too many code which they will never be able to debug. The result is a buggy incomplete emulator. You do not need a worm or virus to crash Wine. Unfortunately Wine does it for you.

Re:Kudos to WINE

Is GTK+ running on Windows emulating GTK+?

Re:Kudos to WINE

[Eideewt]

Not at all. I don't even have an opinion on the matter. I'm just passionate about not using dictionaries as if they're the last word on any subject.

Re:Kudos to WINE

[DavidTC]

Funny how that is nowhere in the definition of "emulator", either in standard English, or the Computer Science / Software Engineering specialities.

First of all, 'emulator' is a jargon term. If it does have a meaning in standard English, that meaning is more than likely completely unrelated to computers at all.

Anyway. 'A software emulator allows computer programs to run on a platform (computer architecture and/or operating system) other than the one for which they were originally written. Unlike a simulation, which only attempts to reproduce a program's behavior, an emulation attempts to precisely model the state of the device being emulated.'.

And note that Wikipedia thinks all emulators are 'software emulators', that is, run in software.

If Wine weren't emulating Microsoft Windows, then whenever Windows was found to have a bug not mandated by Microsoft's published specifications, they wouldn't go ahead and copy it.

Sadly for your point, this bug was mandated by Microsoft's published specification. WMF operates by callbacks in the GDI. That is how WMF is supposed to work.

One of the things it could call allowed it execute random code. This is how that function is supposed to work.

There was no 'coding error' here, there was a problem in the implications of the specification not being fully thought out.

Although your point would be wrong even if it was an implimentation bug. They don't sit and write code for every behavior. They figure out what function calls are trying to do and recreate them. They could have trivially discovered the buggy behavior of the certain function call and coded WINE to do that without realizing it was a security error.

I thnk you're assuming that, for some reason, they operate off the documentation. Not only is that completely unrelated to whether or not something is an emulator, that is not what they do, because Windows API documentation is crap, because there are so many specical cases not mentioned.

So what you're saying is that a "software emulator" is by definition impossible, and that "hardware emulator" is a redundant phrase. Alrighty then.

That's funny, because those two phrases actually mean the same thing.

When people talk about 'software emulators', they mean an emulator written in software. When they talk about 'hardware emulators', they mean something that emulates hardware.

Search for them on google if you don't believe me. Feel free to find any counter examples, because I'm not seeing them. No one ever uses the term 'software emulator' to mean 'thing that emulates software', because no one talks about emulating software at all.

OTOH, chipmakers and IC designers do use the term 'hardware emulator' to refer to hardware-aided simulations. You can argue this proves me wrong, but I didn't say all emulations were in software, I said they were at a 'different level', and using a bunch of cobbled-together relays and whatnot controlled by a computer to operate the display of a stereo is certainly a different level than a finished integrated circuit to do so. (Whereas, for example, using a different IC that mimics the first is not.)

Re:Kudos to WINE

[minus_273]

not so obvious because they are arguing about two different things.

Re:Kudos to WINE

[xtracto]

WINE is to Windows API what MesaGL is to OpenGL.

Emulated First Post

[extremescholar]

This post is set to run under Linux, but to be vulnelable to Windows bugs. Bug for bug compatability!

Make a copy?

[vandon]

Can't you just make a copy of the fixed gdi32.dll from a working windows machine?

Re:Make a copy?

[cnettel]

No, the Win32 version is (mostly) just calling down to the Win32K.sys file in the kernel. This isn't present in WINE. There are also other issues, but this single fact is the killer that makes it totally impossible to work. (aside from licensing issues :-)

Re:Make a copy?

Does Win32K.sys require that the Windows kernel be running, or only that it be on the machine (for dualbooters)?

That's just wrong...

[John3]

So in this situaion, Windows systems updated with the most recent patch are more secure than machines running WINE.

TGIF cause stuff like this makes my head hurt.

Re:That's just wrong...

[Fordiman]

Think statistics.

How many applications that pass WMFs (ie: email clients and browsers) do you use under linux that require Wine? Now how many do you use under windows that would be potentially exploited?

This is far less serious for Linux users than Windows users.

Re:That's just wrong...

[Wonko]

So in this situaion, Windows systems updated with the most recent patch are more secure than machines running WINE.

Possibly in theory, but not likely in practice. I would bet that most people who have Wine installed don't actually even use it. The rest of the people that do use it likely only use it for a handful of specific programs.

Re:That's just wrong...

[laffer1]

Well i don't use ie in windows, but that doesn't mean I can't get attacked through it. :)

I think its sad that Microsoft beat open source to a patch. Lets get it together people!

Re:That's just wrong...

[Dimensio]

Ignoring the fact that most people aren't using Wine to run the Windows software that would really be succeptable to this vulnerability, how dangerous is it for Wine to be vulnerable? What kind of damage could really be done? Could it actually affect things in a user's $HOME directory? I'd think that it would only be limited to the virtual drives mapped under Wine. And it's not like anyone runs Wine with full root permissions, so even then the damage is going to be severely limited.

Talk about bug-for-bug compatibility!

[Kelson]

I mean, I'd heard the phrase bandied about, but it looks like WINE actually achieved it with its WMF functions!

Transmeta Crusoe

[suso]

This reminds me of the initial press release on the Crusoe, one of the clueless reporters in the audience thought that the Crusoe would somehow avoid Windows crashing. One of the Transmeta people pointed out to him that if Windows crashes, the Crusoe will faithfully crash in the same way.

Asleep at the wheel?

Hello? Anyone awake? All too busy at CSE?

Isn't that the Goal?

[lordofthechia]

After all, from winehq.org: "Wine has always strived for "bug for bug" compatibility"

Perfect emulation

[miscz]

This shows how great Wine is. It even emulates exploits and being late with the patches! Hurray for Wine!

serious question

[js3]

does anyone use wmf files?

Re:serious question

[fred_sanford]

it doesn't have to be a wmf file to be effected. jpg, gif, bmp, that use wmf headers can still execute code.

Re:serious question

I used to use it to insert vector images in Word. It was the only real alternative since Word didn't support anything more serious like .ai, .pdf or .eps.

Re:serious question

Windows media player uses compressed WMFs for skin files.

Re:serious question

[ciroknight]

Yes.

This website for example has quite a bit of WMF files. The internet is teeming with them. Oh, you think they have to end in .wmf, I see. Well, you'd be mistaken. Any image format (_any_) that Windows understands is a WMF file. That's right, all of them. Not only that, but quite a few document formats also fall under that umbrella, but most of them are Windows-proprietary anyways.

Thanks for trolling!

Re:serious question

[innocent_white_lamb]

A small business that I do some consulting for has stacks (literally) of CD's containing clipart in WMF format. Based on that, I would say that WMF appears to be a common format for commercial-off-the-shelf clipart disks.

Re:serious question

[cnettel]

Nice story, but it's wrong. A Windows meta file is a spooled set of GDI commands, nothing more, nothing less. That said, some high-level picture libraries will look for several types of image headers in the files they're fed, no matter the extension. The LoadBitmap API in GDI will not. You can load a BMP, JPG or PNG that way in any recent Windows release.

Get your facts straight or stop feeding the trolls.

Re:serious question

[jlarocco]

A WMF file is a very specific file format that contains a list of Windows GDI calls that describe how to draw an image. So obviously, most images on the interweb are not WMF files.

It is possible to make a WMF file that lists the GDI calls to display a GIF/JPG/whatever file, but that still doesn't make the GIF/JPG/whatever files themselves WMF files.

Re:serious question

jpg, gif, and bmp files can not have "wmf headers".

You can make a WMF file that displays a jpg, gif, or bmp, but that's a bit different from the jpg, gif, or bmp having a "wmf header". It's a subtle difference.

Re:serious question

sed -e "s/effected/affected/"

Dear heavens, man, that's nastier than you're/your. Doesn't it pain you to look at your typing and see that kind of sickening error?

Re:serious question

Not only that, Word crashes using any vector image file except WMF!

Disclaimer: I haven't ued Word after Office 2000.

I tried to embed vector graphics in every format that Word accepts, including WMF, CDR, EPS (contrary to original post, Word does take EPS files -- poorly) and DXF (although just now when I looked at the Insert->Picture->From File dialog, I don't see DXF, I am certain that it used to!) and the only format that didn't cause Word to crash randomly when opening/editing/saving doc files was WMF. This is really the only reason that I ever used WMF files. I used to routinely convert vector graphics files to WMF for this very reason.

I don't understand

[overshoot]

The WINE libraries don't even include an equivalent of the DLL that causes the problem for Microsoft.

How does WINE manage to duplicate a flaw in a function that WINE doesn't even implement?

Re:I don't understand

[makomk]

I expect it's like Windows 98 - you can't get infected by websites, but you can get infected by viewing a WMF using some program that uses the Windows API to display them. (For example, most Word clipart is WMFs, IIRC.)

Re:I don't understand

The flaw is in gdi32.dll; WINE implements gdi32.dll I'm not sure if WINE implements shimgvw.dll, but that is not where the flaw technically is; that just happens to be the easiest way to exploit the flaw.

Re:I don't understand

[A+beautiful+mind]

"/* Heavy wizardry */"

(If you know Perl, you'll understand)

Re:I don't understand

[cnettel]

The DLL in question is a common library used to load and view image files. The real WMF parsing is going on in GDI32 and Win32K.sys (GDI32 relies on Win32k, which is generally not called directly), though. So, you can't run explorer.exe from XP to get fancy thumbnails, but you CAN open an exploiting WMF file in several programs, and get the exploit all for free. As I noted in another comment, it's unlikely that a WMF effective on XP would also be effective on WINE, as it will probably be relying on the specific address space layout, though.

Re:I don't understand

[Bogtha]

I seem to remember that if you have Windows installed on another partition, WINE can optionally use the original Windows DLLs. Presumably, this is the configuration that is vulnerable.

Re:I don't understand

[Tim+Browse]

I very much suspect that WINE does implement the parsing/decoding of WMF files, and that is where the problem is. The WMF format allows the file to specify an error handler, which is the cause of the problem.

Don't get hung up on gdi32.dll or shimgvw.dll or whatever - it's the API itself that WINE implements, not specific DLLs and entry points (although it might provide shim for those for some apps) and that's where the problem is.

Re:I don't understand

[Krach42]

The WINE libraries don't even include an equivalent of the DLL that causes the problem for Microsoft.

http://cvs.winehq.org/cvsweb/wine/dlls/gdi/

WTF are you talking about?

Re:I don't understand

[Ignominious+Cow+Herd]

This vulnerability is simply a poorly designed API call. In a real sense, the exploit is using the API as it was designed to be used.

The SetAbortProc function is used by applications to get a notification to stop printing when their print job was aborted by the spooler. I think most applications don't use it, but it is still part of the GDI API.

Wine just implements that API.

WMF files contain GDI calls in a meta-file format. As I understand it, the exploiting WMF files contain a record which calls SetAbortProc, passing a pointer to code (also in the WMF file) which contains the exploit - that code could do anything.

The WMF file _should_ be loaded as data and not executable - I've read that newer CPU's that disable data execution are not susceptible for this reason. Other CPU's will just go ahead and execute the data in the WMF file.

I _guess_ that the proper fixes for this detect whether the caller is coming from a WMF file or a normal application and only block the WMF file instance.

This can't be!

Wait, but isn't Wine OSS? How can it be that M$ has delivered a patch to a vuln but an OSS that suffers from the same problem is still lagging behind. Why doesn't some intrepid OSS developer just jump in and fix it? Isn't that the promise of OSS. Oh well, thanks to the power of OSS, every single Wine user can just download the latest source, fix the affected code, and rebuild the binaries themselves. Oh and hope that the next release doesn't wipe out what they just did, or that they have the development resources to do the fix correctly and not make things worse.

Not that insecure

[Beuno]

Considering wine runs on top of Linux, as long as you don't play with knives (AKA run things as root), this shouldn't be a problem.
Well, unless you are worried about you're fake windows...

Re:Not that insecure

[cnettel]

Well, if you run as the same user as your normal home directory, it can be devastating enough. It's not like you need to be root to send out a thousand mails with your "personal" pictures transformed into virus vectors.

Re:Not that insecure

[SanityInAnarchy]

Which is why I usually set up Wine to not allow access to my normal home directory. Meaning they'd have to completely take over my Wine, with full knowledge of what Wine is and what Linux is, in order to have that kind of access.

Does this vulnerability allow that?

As it is, only a program which allowed the vulnerability would be affected, as my Cedega gives each program its own fake windows.

Re:Not that insecure

If you don't have backups, you will lose the data anyway, sooner or later.

Patching WINE?

[plover]

So all you have to do is run the WINE autoupdater? :-)

Re:Patching WINE?

[legalize.ganja.now.]

So all you have to do is run the WINE autoupdater? :-)

exactly. to run the "WINE autoupdater" open a console and type the following commands:

export CVSROOT=:pserver:cvs@cvs.winehq.org/home/wine
cvs login
the password is "cvs"
cvs -z 3 checkout wine
cd wine
./configure
make
su
enter root password
killall -s KILL wineserver
make uninstall
make install
exit
cd..
rm -rf wine
wineconfig

that's all! ;-) (the exploit is fixed in the cvs tree)
of course you can make this even more "auto-ish" if you put the above commands into a textfile, call "chmod +x" on that file and click on it ;-)

Immitation is the sincerest form of flattery

[Schezar]

I suppose this speaks very highly of the WINE developers. After all, they're not out to make something better than Windows: they're out there to duplicate every broken, strange, or inexplicable behaviour Windows exhibits.

Wine is Not an Emulator, but it's purpose is to allow all of us in Linuxland to use software developed for Windows. That means that it must replicate even the broken parts.

Luckily, I assume two things:

1. The WINE devs will plug this as soon as they get around to it.

2. Anyone using WINE successfully is probably canny enough to make due until then without getting themselves compromised.

Re:Immitation is the sincerest form of flattery

"1. The WINE devs will plug this as soon as they get around to it."

Is this like a Schroedinger's cat thought experiment, or are you just trying to confuse me?

Generally speaking, yes, people do things as soon as they get around to them. That's the beauty of procrastination. It gives us a way out of that conundrum.

Should I submit this now, or...

Re:Immitation is the sincerest form of flattery

[GlassHeart]

You're just the first one I came across, so:

The responsible thing for the WINE developer(s) to do is to tell Microsoft about this serious hole, and not implement it until there is a sufficient need. Even then, it should be enabled only in a "quirks" or bug-compatibility mode, because it is dangerous. I can't believe the developer(s) are being complimented ("speaks highly of them") for quietly implementing a security hole.

Now, I don't think they should be blamed for not realizing the problem (the original authors did not, either). Being volunteers, they're also under no obligation to do anything. But ignorance or inaction is hardly a cause for compliment, is it?

Just imagine what you'd be saying if Microsoft found a security hole in POSIX, and quietly just implemented the hole to spec. Now imagine what you'd say if they didn't realize that there was a hole there. Would you be complimenting them for either case?

Re:Immitation is the sincerest form of flattery

[a.d.trick]

IIRC, wine is run chrooted so expoits for windows apps can't affect the non-wine portions of your system. The worst that could happen is that some of you windows apps are exploited. If this happens just remove everthing from your 'fake windows' directory or what ever and reinstall you windows apps. Apart from that, wine does do things differently from MS Windows, so it's quite likely the exploit won't even work. But that wizardy is way beyond me.

Re:Immitation is the sincerest form of flattery

[houghi]

Luckily, I assume two things:
1. The WINE devs will plug this as soon as they get around to it.


Well, Luckily, I assume two things:
1. The Microsoft devs will plug this as soon as they get around to it.

So if it is M$, it is the bad company that does not patch fast enough. If it is OSS developers, they can take their time?

A lot is said that OSS is better, because of the many eyes that can look at the source and that this is better then closed source. If that were true, how come this has not been fixed before?

Wine is insecure.

[Ober]

That's why OpenBSD does not have it working on their platform.
Not that lacking kernel threads, or half a dozen other things could be the REAL reason. :p

Not impressed

Until I can get my Linux box rootkitted by Sony DRM.

slashdot homepage is fucked up

Don't tell me I'm the only one who noticed that this site's homepage looks terrible.

Re:slashdot homepage is fucked up

No you're not. Dunno wtf's going on.

Re:Like my pappy always said...

[the_B0fh]

No no no, when wine, women and song gets to be too much, stop singing.

Why should they realize it's a problem?

[Weaselmancer]

The surprising part about finding this flaw in Wine is that they implemented the entire Meta File API without realizing that this could be a security issue.

Remember, the goal of WINE is to duplicate the API as exactly as possible. And up until a few days ago, that *was* part of the API.

WINE isn't supposed to be an improvement, just a duplication of the API so that win32 apps can run on x86 *nix. It should be no surprise to anyone that their implementation of the metafile API is exactly like the one in Windows. That's the point.

Re:Why should they realize it's a problem?

That should also means that ReactOS, the free windows copy got this exploit too. :D

Re:Why should they realize it's a problem?

[Rufus211]

The point was that if they spent the time working with this format and re-implementing it in WINE, they should have seen the potential exploit. Instead they blindly implemented it without analyzing the format (which you can't really blame them, considering how much crap they have to parse through).

Re:Why should they realize it's a problem?

[Hakubi_Washu]

Even if one assumed that they did see it, they'd still have to implement it, because it is part of the API, which they're trying to clone. It's not too hard to get that concept, is it???

Yes

Virus and malware writers use WMFs all the time :)

I'll worry when M$ retains SCO's legal team

or the Darl everyone loves to hate... "Surely WINE contains windows code, how else can it possibly exhabits the exact same flaw? We demand WINE development team to come clean and turn over their first borns as sign of good faith..."

Hey

If I got hit with the WMF flaw, I'd go drink some WINE too.

You hold aces in your sleeve :)

[Antiocheian]

Well, admit however that if WINE didn't have this hole you would post an entirely different story on Slashdot :)

Crazy Slashdot.

Man, Slashdot looks messed up.

Re:Mud Wiggle saith

[Fordiman]

Betcha the Wine team comes out with a fix before Microsoft does.

ReactOS?

Perhaps the ReactOS people should check their code as well, especially since they're starting to implement network support into it for version 0.3.0.

Re:Linix tained by M$ crap. ps3?!?!?!

[chrisjwray]

Is this supposed to be an SMS message or are some of the keys on your keyboard missing? Either way, what are you on about???

We do.

We're a major financial services/software company, and one of our QA suites uses a WMF file (for what, I'm not sure.) Symantec Antivirus started complaining about this in the wake of the WMF exploit and broke our build, despite the fact that CVS assures us the file hasn't changed in 5 years.

License?

[John3]

What is this license you speak of and why would I need one for software?

Re:License?

[SpinJaunt]

I think Parent was referring to the GPL.. then again.. ;)

GDI DLL Exploit Method

[c0d3r]

Apparently the exploit method in the GDI DLL is SETABORT (vector 9).
http://blogs.securiteam.com/index.php/archives/184
-c0d3r-

yeah right

The surprising part about finding this flaw in Wine is that they implemented the entire Meta File API without realizing that this could be a security issue. ... and your comment:

I suppose this speaks very highly of the WINE developers.

If you ask me, it is more suspicious than anything else. My guess is that someone with access to Microsoft code has (probably on more than one occasion) contributed to the Wine project. That code was probably blindly copied into the project with little-to-no auditing whatsoever.

Re:yeah right

[LocalH]

Oh yeah, because noone can ever independently produce a piece of code that functions 100% identically to other code, including bugs and everything else, right?

Re:yeah right

Not code with the complexity of Win32/Wine. If this happened in CS class, you'd probably be thrown out of university.

Re:yeah right

If Wine devs had independently recreated SetAbortProc, they would've seen how easily exploitable it is and reported it to Microsoft. Microsoft, in turn, would've quietly fixed the bug without making any press releases about it, unlike the panic you saw this week.

Re:yeah right

[Krach42]

Right, because published specs means they can't implement this same boneheaded security flaw.

I will guarentee you that the function in question at the very least is NOT from Microsoft's code.

Re:yeah right

[spitzak]

It's not really a bug. It is in fact the documented function of the WMF files, and nobody (neither at Microsoft or WINE) noticed that it was in fact a security hole. Since it is documented there was no trouble replicating it's behavior.

Bug-for-bug compatibility to the next level

[HTH+NE1]

This takes "bug-for-bug compatibility" to the next level.

Now the king of compatiblity claims is "'sploit-for-'sploit compatible"!

Actually, not this time (but often other times)

[Schezar]

Heh.. Actually, in this specific case, I wouldn't. (Though for many other assertions I make, you're spot on ^_~)

I use Wine extensively in my work, typically to allow corporations with archaic, proprietary software developed for Windows to migrate wholly or partially to Linux. I've found that many applications are poorly coded and end up using strange or broken Windows APIs. They'll use a bug as a feature and rely upon it to function.

Simply put, I rely on the Wine guys to implement every "feature" of Windows, no matter how broken it is. Say they'd noticed this and corrected it. They likely would have done it in a slightly different way from Microsoft. Wine would have branched slightly from the Windows API tree, and I would have ripped out more of my hair.

Well, there you go...

[stinky+wizzleteats]

All applications launched inside Wine, Cedega, or Cross-Over Office are technically still exploitable

That's 3 Unix/Linux vulnerabilities to 1 for Windows. Windows is more secure.

Re:Well, there you go...

Don't bite your tongue.

It's only natural that the few vulnerabilties in *nix would be implementing the Windows API. Sad.

Re:Mud Wiggle saith

[amliebsch]

Um...is that a joke, or are you unaware that MS already patched this?

The traditional "joke", with a twist?

[Jugalator]

For WINE users, here's a patch.

Wow, I could never imagine this time would come, after all those here's a patch jokes!

Re:The traditional "joke", with a twist?

[Jesus_666]

This patch will eliminate any Windows- or WINE-related vulnerabilities.

Re:The traditional "joke", with a twist?

[JaLooNz]

Do you mean Mac users do not use Wine either? I presume that you are mistaken.

Re:The traditional "joke", with a twist?

[jZnat]

Unless you're talking about OSX86, Mac users can't exactly use WINE yet...

Re:Linix tained by M$ crap. ps3?!?!?!

[Beardo+the+Bearded]

Maybe it's an attempt at a troll.

Maybe he's brain damaged.

Maybe the liquid nitrogen has run out and there's not much mentation left.

Maybe he's nine and he's trying to be cool to impress us.

I'm certainly impressed. I didn't know that our canine colleagues had learned how to use computers.

Re:Mud Wiggle saith

[Keith+Russell]

I hope the Wine team has a flux capacitor.

Re:Linix tained by M$ crap. ps3?!?!?!

It's not that he's a grammar Nazi, it's just that your post was as coherent as Syd Barrett's lyrics.

Re:Mud Wiggle saith

Why would MS want to supply a patch to WINE? They already patched thier own product.

Congrats WINE

[hkb]

This just goes to show the WINE project's dedication to accurately reproducing the Windows libraries.

*drum hit*

Thank you, thank you, next show at 10!

Re:Mud Wiggle saith

[isolationism]

I'll take you up on that bet. The WINE team patching their vulnerability before Microsoft patches theirs is highly unlikely considering Microsoft already released the patch yesterday, as covered right here on Slashdot.

Unless the WINE developers have a time machine and are holding out on the rest of us. Incidentally, that would explain why WINE only runs software designed to run on OSes aged 8 yrs. and older.

Well, pay up. What'd I win?

Re:Linix tained by M$ crap. ps3?!?!?!

[XflopThreeShitty]

not 9 try 39!!! and i werk for Noble $$$$ winnerz so dont be al hussey mr smarty pants!!! how bout ansering my query insted huh?!?!?1?1?! mabee your the 1 who'se 9!!!!

Re:Linix tained by M$ crap. ps3?!?!?!

[XflopThreeShitty]

I dont lisen to lamea$$ hiphoprapcrap t00! metal r00lZ \m/

Re:Mud Wiggle saith

[A+beautiful+mind]

You won the right to post the parent post. Gotta love temporal mechanics ;)

if you want to run windows apps

run windows... dont see how it could be much simpler

Cedega is not affected by this exploit

[gavriels]

Cedega is not affected by this exploit, as we don't support any META_ESCAPE commands in WMF playback at all.

And Marcus Messier's fix for WineHQ was checked in earlier today. 8-)

  -Gav

Re:Cedega is not affected by this exploit

[petermgreen]

any source for that on an official domain i'd rather not cite a slashdot comment in a wp article.

Re:Cedega is not affected by this exploit

Now that it's official, that WINE has achieved that higher plane we call bug4bug compatibility, that we follow suit: interview this Mercier character like the others have interviewed that guy who made the patch before the WINE guys release theirs. I'm saying emulate like never before, guys! Don't stop with the patch-here jokes, let's keep it rolling!

What happend to many eyes?

[DaHat]

Doesn't this revelation kinda fly in the face of one of the arguments of OSS that it is more secure because more eyes are seeing it?

Here we've got at least two sets of eyes that missed it, not just the folk(s) who wrote the Wine code, but also the one(s) who wrote the original implementation for Windows... and the only time the flaw was discovered in Wine was AFTER the Windows one was... presumably because someone looked to see if Wine was vulnerable as well.

Re:What happend to many eyes?

[cnettel]

What happened to the "one sample tells you nothing about your population" theorem?

Re:What happend to many eyes?

[DaHat]

I never said that it disproves the theory, just that it is an interesting piece of evidence against it.

IT'S FIXED IN THE CVS

[Krach42]

Revision 1.12 / (download) - [select for diffs], Fri Jan 6 20:52:46 2006 UTC (111 minutes, 55 seconds ago) by julliard
Branch: MAIN
CVS Tags: HEAD
Changes since 1.11: +7 -0 lines
Diff to previous 1.11 (colored)

Marcus Meissner
gdi: Filter GETSCALINGFACTOR and SETABORTDOC proc in metafile
Escapes.

Which changed wine/dlls/gdi/metafile.c from:

case META_ESCAPE:
        Escape(hdc, mr->rdParm[0], mr->rdParm[1], (LPCSTR)&mr->rdParm[2], NULL);
        break;

To:

case META_ESCAPE:
        switch (mr->rdParm[0]) {
        case GETSCALINGFACTOR: /* get function ... would just NULL dereference */
            return FALSE;
        case SETABORTPROC:
            FIXME("Filtering Escape(SETABORTPROC), possible virus?\n");
            return FALSE;
        }
        Escape(hdc, mr->rdParm[0], mr->rdParm[1], (LPCSTR)&mr->rdParm[2], NULL);
        break;

This is first day response.

Re:IT'S FIXED IN THE CVS

why is there no default case for the added switch statement

Re:IT'S FIXED IN THE CVS

It would be more text to write....

Re:IT'S FIXED IN THE CVS

[dkf]

Why put a default in when the default default (do nothing) is good enough?

Hey!! I knew that!!

[imipak]

Well, I can't say I'm very surprised to read this news :)

However, I can't quite shake off the creeping suspicion that I've got something terribly, terribly wrong in my model of the world, though, that I feel I have to point out that I told you so. Please, say it isn't just me!!

Why its not really a BUG, and why WINE has it too

[XMilkProject]

It's been a while since I've written any WMF software, but if I remember correctly, the problem here is with the general principle of a WMF, not a bug in any libraries, hence windows and wine both being vulnerable.

A wmf is not a graphics format in a traditional sense, but rather a list of API calls to the GDI libraries that when fired off one after another will recreate an image.

For this reason, saying that the WMF insecurity is a bug, is like saying that the fact that you can make a malicious EXE for windows is a bug also.

I'm not saying it shouldn't be fixed, becuase it is a vulnerability, I'm just trying to shine some light on why similar vulnerabilities exist in WINE.

If I have given an incorrect explanation of WMF, please feel free to comment.

Re:Linix tained by M$ crap. ps3?!?!?!

[Jesus_666]

To answer your question: Yes, Sony should su. Unfortunately they don't have the root password.

Dang it!

[darthservo]

Does that mean I have to throw out my stash of these?

My favorite review of this subject...

[jeremy_white]

...is on Newsforge.

Re:Why its not really a BUG, and why WINE has it t

[XMilkProject]

To answer another question I keep seeing:

"Does anyone actually use WMF anyway?"

There are actually some common uses of WMF on windows, but becuase it is a metafile of GDI calls, its not very portable (although it is easy to convert).
Since displaying a WMF is nothing more than enumerating the list into a 'select case' statement (not a very long one either) it is very easy and VERY fast to display on Windows. (Really no processing is required). For this reason, microsoft uses WMF for all the MS Office clipart, and you'll find many other very-microsoft centric applications using it as well.

How long should a fix take?

[MeBot]

Six days after m$ft learned of the vulnerability, we were all yelling that it shouldn't take that long for a fix and thank heavens that open source projects could always churn out fixes so much quicker. Well, the open source wine has now had 3 days. Does that mean that if wine takes another 3 days, then we've proven that open source isn't always faster with fixes?

Re:How long should a fix take?

If you'd read through the comments you'd know it's already been fixed.

Re:How long should a fix take?

[pasamio]

You could atleast read the comments section before posting...or look at the Wine cvs. I refer to this post: http://it.slashdot.org/comments.pl?sid=173205&cid= 14412807 which was made 10 minutes before yours (surely it did not take you ten minutes to write that comment). Its not a question of 'if' its a statement of 'is' now.

From the horse's mouth, so to speak

[Doobian+Coedifier]

Mod parent up!

Thanks for letting us know, Gav! Transgaming rules!

Clarification: Wine Is Not a (CPU) Emulator

[JBMesserly]

I'm pretty sure a more accurate expansion of WINE is: Wine Is Not a (CPU) Emulator. See the Wine FAQ. As you correctly point out, Wine emulates (implements?) the Windows API, using the native CPU to execute code.

Re:Clarification: Wine Is Not a (CPU) Emulator

[jacksonj04]

WINCE?

It's already fixed in CVS anyways

[Krach42]

Just: cvs update && make World && sudo make install

Patched, Fixed, Done.

If you RTFA, you'll even see that the very person to report that WINE was flawed the same as Windows submitted a patch to fix the problem along with his notice that it was broken.

THAT is how fast OSS is. The very vulnerability announcement says how to fix it.

Re:It's already fixed in CVS anyways

[heinousjay]

Fixed fast, and probably tested for at least 15 minutes on one computer. I just don't understand why Microsoft takes their time, in light of this. They should just release the first thing that seems to work.

Yeah, that was sarcastic.

Re:It's already fixed in CVS anyways

[Krach42]

Well, WINE has the advantage that they know what route everyone else has taken to patch this first.

I'm also accutely aware that Microsoft had to test the patch before releasing it. The issue has always been that they were going to wait until patch Tuesday to release it, and not release it as soon as possible.

Kudos to which ever Senior VP approved us to put it out early.

Programming Issue? No way!

[Heembo]

Alan Paller at SANS keeps calling this a "programming error" which I think is a load of BS. This WINE article only proves it - this is poor design from management folks. The trick is, security needs to be a core part of system design from the initial phases of the software lifecycle, and then at every step of the software lifecycle. This is not something only for Programmers and pure-tech folks. Now your Project Managers, Analysts, and even your upper management needs to understand the COSTS AND ADDITIONAL TIME ASSOCIATED WITH HIGH-SECURITY PROGRAMMING.

Re:Programming Issue? No way!

Except that the WMF format was created, what, more than 15 years ago? Not many people had computers then. Or the Internet. Or the bandwidth to share pictures through BBS's. Even if someone had found the exploit, it wouldn't have spread over more than, say, two or three computers worldwide. High-security programming? WTF? There was no *NEED* for high-security programming back then.

WMF became obsolete soon, and was forgotten. It's perfectly normal to forget to review code that old, especially if the programmers who wrote it have probably been retired by then. Hell, many people have probably never seen a WMF file before.

Re:Programming Issue? No way!

[zjbs14]

Yeah, that was a big concern back in the late 80's when WMF was developed for Windows 3.0 (AKA DOS but prettier). There was no elevated privleges, memory protection, or even networking to speak of. Heck, if you wanted to screw with something, all you had to do was write a TSR to hook into an interrupt.

I agree, it probably should have been taken care of in the interim, but I wouldn't classify it as poor design (for the times).

Re:Programming Issue? No way!

[mvdwege]

<cough>Bullshit<cough>

There were no such things under DOS/Windows in these days. But things like different privilege levels, multiuser and multitasking computing, memory protection and networking certainly existed in the eighties.

It is Microsoft's abiding attitude of NIH that led to them disregarding best practices as they were known to other systems in those days, and consequently reintroducing errors and bad security practices that we thought had fallen by the wayside.

Mart

Re:Programming Issue? No way!

[Heembo]

I have no doubt that more than one programmer made the call that this basically can be used to execute an arbitrary code (since it was built for that purpose!) This was NOT a code error - the code did EXACTLY what management told the programmers to do. The error was in the call from management to push this feature. The patch from MS did not FIX this code, it REMOVED the ability to run this feature all together. Sure, it's easy to "blame the programmers" but at one point management needs to make the call to think about Security early on - not during coding and technical development.

Ah the joys of having access to both sources...

[Krach42]

The code is definitely not from Microsoft.

DEFINITELY not from Microsoft.

Makes sense to me...

[sd_diamond]

I know that excessive use of Wine usually makes me insecure.

wine OSX

[nurb432]

I do believe they have abondoned that project, and moved to OSX86, which would be much easier to code for.

Too bad that leaves us PPC users out in the cold.

Dictionaires!?!

You have dictionairies? Why, back in the day, we had to get our elders drunk then listen to them tell stories in the olden tungues. And they always lied, too, and WE LIKED IT!

this still could be a problem

[timcharper]

This really still could pose a threat to people running office under wine. All of your saved passwords for websites are stored in your home directory somewhere abouts, and your home directory in fake windows is mapped as Y:\ If somebody wrote an exploit for that, they could access personal data, and erase your files, but that would probably be on average the extent of how far the damage would go. I think their is a whole lot of bias going on here towards microsoft. Everybodies first reaction when they find out that WINE has the WMF flaw is to: 1. Bash Microsoft, calling them the author of all "buggy" and "flawed" 2. Praise wine for failing where microsoft failed by calling wine "closer to windows" 3. Bash Microsoft some more 4. Worship linux, the all-mighty bug-free security-flawless operating system. I'm failing to see some real rational thinking going on here.

Re:this still could be a problem

[SanityInAnarchy]

MS took 6 days to fix the bug, and a third party had releast a fix a day or two earlier. Maybe day 0, I don't remember, but I suspect that without the third-party fix, MS would've waited even longer, to their scheduled release. (Here's a hint, MS: Worms go by their own schedule, not yours.)

Wine took 3 days. And Cedega never had the problem in the first place.

And if I really wanted to be secure, I wouldn't have my home dir mapped anyway, or I'd run Wine as a separate user.

For that matter, this has been proven as a design bug, not a programming one. Wine follows MS design/API as closely as possible -- if they didn't, programs would break. Now that MS has decided to break a certain group of programs in the interests of security, Wine is free to do the same.

Rational enough?

Too bad that's wrong

[xant]

A formal API is basically published documentation about how it works. Since Microsoft hadn't published the docs about every quirk of their implementation of their APIs, there's a lot of flexibility in how it will be implemented.

WINE takes that a step farther, though.. they're trying to implement the undocumented behaviors too. They do this mostly by running known-working windows software and seeing where it breaks in WINE. Where it breaks, this indicates a place where the WINE implementation of the API either a) doesn't conform to the documented API or b) doesn't conform to the quirks. So WINE does, as you suggested, have to get pretty close to doing exactly what Microsoft does in the implementation.

But even within this restriction there's a lot of wiggle room. No "known-working" software would rely on an exploit; to put it another way, software that made use of the exploit intentionally would not be used to prove WINE's implementation was reliable. Therefore, there's no reason for WINE to implement it that way.

All of this begs the question "where did the exploit come from?" Until I read otherwise, I'm going to assume MS and WINE made use of the same underlying library, in which case WINE is merely sharing a single buggy implementation rather than cloning a new one.

Is that so hard a concept to understand?

Re:Too bad that's wrong

[Hakubi_Washu]

Have you actually read how the exploit works? WMF allows arbitrary access to the graphics system and thus code execution by design. That is not "undocumented"...

Re:Too bad that's wrong

[cnettel]

While technically right, it's more like "they allow access to most of GDI, including one devastating method that allows you to feed a pointer to a callback proc if rendering fails".

It's more complicated than WMF just being able to call anything inside GDI32.dll. This is demonstrated by the fact that SetAbortProc was never allowed, the way to do it in WMF was using the Escape function, which has an obsolete escape code for adding an abort proc in the context where it makes sense, for printer spooling.

So the oversight is that an escape code was included for setting an abort proc, and there were valid uses for escape codes in WMF. The explicit and current way to set an abort proc was never allowed.

Re:slashdot design ...

[6Yankee]

slashdot design looks strange today

You just want me to commit a felony by refreshing it to see if I see what you see, don't you?

Re:Mud Wiggle saith

The problem with this argument is that the announcement that Wine also suffered from this vulnerability included a patch to fix it, so that's a 0-day response between discovery and fix.

Re:Why its not really a BUG, and why WINE has it t

[cnettel]

It is partly right, but this is a vulnerability just like being able to write a Javascript that alters files on your HD is a vulnerability. Javascript is even Turing complete (WMF isn't), but the important point is the domain you are executing in. There are plenty of GDI functions that you CAN'T call from a WMF, like setting an abort proc in another manner than the one used here, or getting a device context to draw in another window in the same session. In fact, I think you are not supposed, or allowed, to draw in another device context at all.

WMF is not supposed to be any kind of code affecting the display and certainly not arbitrary x86 code. Therefore, this is a bug, but the bug was caused by the format design omission to allow the specific escape code used.

correct me if i'm wrong

[petermgreen]

but afaict wine is not a jail and there is nothing stopping code running from it making linux syscalls directly bypassing wine and its set of virtual drives.

Re:correct me if i'm wrong

[Dimensio]

I wouldn't think that would happen here, since the nature of the exploit (like most exploits) is that it causes untrusted and potentially malicious code to be executed through a flaw in the WMF format. But if it's happening through Wine, then the exploiting code is being run through Wine's API layer. I don't see how it could make Linux syscalls doing that.

Another mitigating factor is that not all Windows software works with Wine, and not all works completely with Wine. It's possible that a malicious exploit that does terrible things in Windows wouldn't work properly when running through Wine.

Re:correct me if i'm wrong

Why not? WINE is, afterall, not an emulator. It doesn't interpret the Windows binaries or execute them in a jail. It simply provides the linking facilities for the binaries to execute API written to function identically to their Win32 counterparts. It's still x86 code running directly on the x86 processor within a Linux process. That code could certainly make a call to the Linux API or system calls, although at that point the code would be a Linux-specific exploit. If you're smarter than most Windows users and don't run as root then you're likely not going to suffer much damage from the exploit, but it will cause damage nonetheless.

Re:correct me if i'm wrong

[petermgreen]

then the exploiting code is being run through Wine's API layer. I don't see how it could make Linux syscalls doing that.
all it takes to make a syscall is to set up some registers and exectute a particular instruction that the kernel traps from there the kernel takes over.

unless wine is running apps under ptrace (which i doubt because of the complexity and performance cost) there isn't a whole lot it can do to stop an application doing this.

What about MS AntiSpyware on Wine?

If the exploit works, does that mean MS protection will work... in other words
What about MS AntiSpyware on Wine? ....any one ever try that?

The "if your second wife doesn't scream" test

[MarkusQ]

"a set of bundled libraries designed to be API compatible"

"designed to mimmick the behaviour of another piece of hardware or software in order to achieve the same functionality"

What's the difference?

Aren't the libraries bundled with WINE written to mimmick the responses of the equivalent Windows APIs? Sounds like emulation to me.

I've always assumed that they were making the first wife / second wife distinction.

Your second wife may provide all the services that you first wife did ("Please pass the salt" gets the salt handed to you just as before) but that is only an implementation of the same API--it doesn't mean that your second wife is "emulating" your first wife.

If, on the other hand, your second wife discovers that your first wife used to have some bizarre behaviour (say, she would occasionally wake up screaming "Now Dasher! now, Dancer! now Prancer and Vixen! On, Comet! on, Cupid!" etc. in an overly excited voice even when it was nowhere near christmas) and your second wife decided to start doing it too solely because it's what your first wife did, that would be emulation.

To give a less whimsical example: a browser such as Opera isn't "emulating" Firefox just because they both render HTML, support javascript, etc. Only if the Opera folks were to add a "Firefox quirks mode" that also attempted to duplicate all the overt behaviour of Firefox would they be "emulating" it. (And to be "simulating" they would have to be duplicating the overt behaviour by virtue of having in some sense the "same" internal structure.)

-- MarkusQ

Re:slashdot design ...

LOL, it seems, the authors of Wine project simple have stealed the code Win32 API from Microsoft... :o)

So what happened to the eyeballs?

[tyse]

Apparently one of the great things about open source is that many eyeballs makes all bugs shallow.

Yet WINE developers missed this one and delivered insecure code. What happened to the shallow bugs? Where were all the eyeballs?

And then they take longer than Microsoft to fix it, despite us being told that with open source anybody can fix it, response times are faster, community can turn around a fix in hours, blah, blah.

I guess all of this pre-supposes that there is a large group of open source developers who care about such things. Do they exist? Do they care?

Re:So what happened to the eyeballs?

[Ash+Vince]

This situation suggests to me another possibility. Microsoft always knew that this piece of poor design was an issue but decided not to fix it initially on cost grounds. As soon as it was discovered (by someone else) a patch could be put together quickly because half the work was already done.

The people developing WINE simply missed it so they had to verify the bug exists and look at exactly what it was before they could fix it.

Most people seem to consider all problems with software to be the fault of the coder, In my experience I used to point small security holes out to my employer all the time but sometimes he viewed it as not being cost effective to fix.

Mean Mr Mustard sleeps in the park

[stavromueller]

So this affects like, 4 people? Maybe 5?

The thing here is...

[williamyf]

... that when the WINE Coders were coding the Metafile APIs, they:

1.) Did not realize this was a design flaw (most likely).
        or
2.) Realized this was a security flaw and have been explioting it since years ago (highly unlikely).
          or
3.) Have been urging Microsoft to change the code since they realized (highly unlikely, as well).

          The point I am trying to make is that this design flaw was not spotted by the many eyes of the WINE project, showing that even the OSS development model is subject to mistakes.

          The intent of this comment is not to say which development model is better, just to point out the fact that ALL development models are subjet to failures, and that our analysis should not be so unidimensional and binary, a thought that seems to be quite lost in this particular thread.

          As an aside, if this atack was made public in 12/27/05, and confirmed by Microsoft in 12/28/05, shoudnt have the WINE comunity tested for the flaw, posted a preliminary patch ASAP and then post a definitive patch that mimics the efect off the Microsoft patch? Why to produce the patch just AFTER Microsoft posted theirs, late by the comon wisdom of /.?

          My other question our regard a Turing-Complete "Image File Format", Postscript. Given the complexity in Postcript, is it not possible (but most likely harder, since it can not touch Filesystems) to do exploits in it?

          Just my two cents

Re:The thing here is...

[wkitchen]

or

4.) Recognized the flaw, but consciously chose to ignore it for the sake of compatibility. (bug-for-bug, and all that).

But I agree that your choice #1 still seems the most likely.

Re:The thing here is...

[tyse]

When Eric Raymond talks he says that all bugs are shallow.

He does not say that "oh you know some things are kind of hard and even putting the code on an FTP site and allowing people to download it, realistically it's still only a dozen guys working on the project who ever look at it, and none of them are going to ever get around to reviewing the code for WMF".

Let's face it, all bugs are shallow is OSS marketing. It's make believe.

In the OSS world, the only thing you can say about bugs is usage is so low that most bugs are unexercised.

Re:The thing here is...

[Elektroschock]

Wine is buggy and brokne and there are a lot of things to get fixed. No need to surpass Microsoft in implementing the latest security fixes.

The reason is simple: security currently has little priority.

What wine really needs is more developers.

Re:The thing here is...

[Hymer]

Wine developers may even have noticed that flaw but since M is known for using "features" (aka. bugs) on purpose they didn't remove it... who knows which M app. needs that bug.
--
I've got Linux on my PowerBook... Windoze XP just couldn't recognize any hardware in it...

Who the hell!?!?!

Is using IE or Outlook on WINE? In fact I think that only WMF embedded in DOC, XLS, PPT files might infect WINE.

Mod Parent Up, GP Down

[Ignominious+Cow+Herd]

Absolutely right. A WMF is really just a list of GDI calls saved to a file. It is not an "Image" file like JPEG or TIFF (although TIFF can actually contain non-image data too).

GP is NOT informative.

Peer review of "many eyes" should've caught this

[I'm+Don+Giovanni]

What's amusing about this is that many of you guys that blasted Microsoft for designing this flaw into the WMF api are now defending the Wine devs with, "Well, they had to implement the whole api, so it's not their fault!!"

But the facts are that the original design was made pre-Win3.0, long before the rise of the internet as we know it today. It's not surprising that the design flaw arose in that environment, and the design was used to deal with the hodge-podge of various printer behaviors from those days. And I don't particularly blame the actual handful of Wine devs that implemented the "whole API" and therefore inherited this design flaw.

But I do place blame on the OSS community.
Allow me to quote from Engaging with The Open Source Community:

Another piece of Open Source philosophy is characterized as "many eyes make all bugs shallow." The continual review process used by Open Source communities produces a "many eyes" effect of massively parallel peer review that has been demonstrated to produce very high quality oversight of the software development process and products. Constant, repetitive peer review, coupled with a release schedule tied to objective software quality rather than marketing deadlines, consistently results in Open Source software quality orders of magnitude higher than that of commercial releases of similar software.

This flaw was staring the OSS community right in the face for all this time, yet the OSS community failed to find it. Of course, I'm being too hard on the OSS community. I wouldn't expect that community to find this problem. But nor should you. The "many eyes" claim is a canard because in truth very few people not involved in the actual development of a particular piece of code actually examine that code for flaws, and even fewer can identify a flaw even if it's staring them in the face as clearly as this one.

And while we're at it

[Weaselmancer]

It's also worth noting that no matter how you feel about Microsoft, they have thousands of people writing code for them - and none of them found this exploit. Wine right now is a couple of dozen guys.

And they have bigger fish to fry, like getting DCOM working correctly so installers work, getting copy protected CDs to work correctly, and implementing DirectX fully.

Re:And while we're at it

So if Microsoft doesn't prioritise security over everything it's bad, but if a couple of dozen guys working on open source stuff don't prioritise security, that's ok.

Is that because security isn't important in open source, because security isn't important when you've got a small team, or becuase Microsoft sucks and open source must be better no matter what?

Re:And while we're at it

[robgamble]

Given that statement I don't understand how the Wine guys get anything to work. It all just seems too huge. At least the Windows developers get access to source code and comments which would have described the intent of a piece of code, the Wine guys have to do a lot of intelligent guessing. They must be really terrific developers, hats off to those boys!

Re:And while we're at it

[Weaselmancer]

Nope, my point was just simple statistics. I'm sure security is important to both. But - Microsoft has thousands of coders working, whereas Wine only has a few dozen. If it's obscure enough to slip by thousands, then the odds are pretty high that it will slip by another dozen or two guys. That's all I was saying.

Re:Peer review of "many eyes" should've caught thi

[NullProg]

But the facts are that the original design was made pre-Win3.0, long before the rise of the internet as we know it today. It's not surprising that the design flaw arose in that environment, and the design was used to deal with the hodge-podge of various printer behaviors from those days. And I don't particularly blame the actual handful of Wine devs that implemented the "whole API" and therefore inherited this design flaw.
Are you being smug or are you trolling on purpose? There was no pre-Win3.0 gdi32.dll. There was no hodge-podge of printer support. They all printed to LPT1 with thier own escape-codes that the software developers implemented. I print to my year old Samsung laser using my twenty year old AppleWorks. You do know that WINE can use its own built-in DLLs or Win32 native DLLs, don't you? I can switch Wine to use the Gdi32.dll that Microsoft just provided for free.

This flaw was staring the OSS community right in the face for all this time, yet the OSS community failed to find it.

I don't think the Wine Developers are looking for flaws. Most of us use Wine to play Windows Games. In what aspect is my WINE/Linux environment compromised by this Microsoft flaw? There is no kernel to infect. Are the rootkit trojans going to infect my Starcraft session and turn the Zerg into lemmings? Are you mentally challedged?

We appreciate that you like Windows, stay there. When your ready to switch to a environment that doesn't believe that you owe a fee every three years and that you own your own stuff, let us know.

Enjoy.

WMF Current Test Files Can Be Founc Here

[ZOverLord]

I have the latest test files created from version 1.17 both OFFLINE and ON-LINE as well as zip files for the last two prior releases 1.16 and 1.14 located here: http://www.dslreports.com/forum/remark,15188688#15 188722 They can be used for testing, also there is an patch NOT supported by Microsoft for those running Windows 98 here: http://www.nod32.ch/en/download/tools.php It should be noted that these files have been used for many days and are safe for testing.

Re:Why its not really a BUG, and why WINE has it t

[eraserewind]

While I understand what you mean, I don't really buy it as an excuse. You could just as easily argue that postscript is not a graphics format, or hell even jpeg. All files tell the computer to "do something", and you need to be careful when doing whatever it is they tell you. Just becasue the contents of the file match up to function calls in a dll, that doesn't mean you have to pass it directly to the particular funciton.

And, the fact that you can make a malicious .exe for windows is a bug. .EXE is a file format same as any other, be careful what you allow them to do on your OS implementation.

Update in apt repository.

[kg4gyt]

I just updated my system and it seems that the new version has been released. At least through their apt repository that wine hosts themselves anyway.

Re:Why its not really a BUG, and why WINE has it t

A wmf is not a graphics format in a traditional sense, but rather a list of API calls to the GDI libraries that when fired off one after another will recreate an image. ... For this reason, saying that the WMF insecurity is a bug, is like saying that the fact that you can make a malicious EXE for windows is a bug also.

As I understand it, WMF files are allowed to register a callback function that will be executed in certain situations. The code for such a callback function can be embedded in the WMF file itself! Allowing a graphics data file to execute arbitrary code when being viewed is the height of stupidity and just begging for an attack exactly like the current vulnerability.

So, maybe you are right; this is not a bug. Instead, it is a stupid design decision in Windows that was never considered at all in the sense of security. Now, how much do you trust any other decisions made in Windows design?

So much for many eyballs.

If they just copy the bugs / exploits. Isn't one of the arguments in favour of OSS meant to be scruitny of the source revealing things like that? Hey, I even bet the original exploiters of this might have got the idea from examining the source code. OSS creates dangers like this, it should be illegal...

You thought the day would never come

The short time when windows is the only OS not vulnerable to a windows exploit and linux is?!
What were the wine developers doing during the week+ we were going after MS for not fixing it?

Re:Peer review of "many eyes" should've caught thi

No, many eyes is actually good.

There is alot of people that search for bugs allmost everyday and allways seems to find some.

The problem is that these people are out to exploit this bugs ;) ...

Re:slashdot design ...

LOL, it seems, that you are babbler :o). Developers of WINE only implemented bad Win32 API.

What is the exploit about

[theguyfromsaturn]

I'm curious to know what the exploit is about that it could have been present in two different implementations? I understand that WINE has implemented the API, so is the vulnerability not an implementation of drawing routines but of the spec of the API itself?

Re:Peer review of "many eyes" should've caught thi

[51mon]

As a free software community member I don't use WINE, as it primarily exists to let people use non-free software, so my eyes aren't on it, it isn't installed on my box, and I'm not that interested in it.

Clearly there is code that has more eyes on it than others. Similarly free software sees a lot of automated code audit, which I know hasn't historically been a high priority at many commercial software organisations. But it won't spot stuff like this.

I'd guess the people interested in secure design aren't interested in reimplementing Windows APIs.

So perhaps the WINE developers missed it as well as Microsoft, but it is inevitable they will reimplement Microsoft security flaws, as so many of the problems with Windows are structural. It isn't really their job to fix Windows.

Re:Peer review of "many eyes" should've caught thi

If you read the fucking article, you would have seen that Marcus Meisner of SuSE had already created a patch and passed it on to the Wine team. So get your facts right, Billie Boy, before you troll. Fucking moron.

Re:Why its not really a BUG, and why WINE has it t

[XMilkProject]

I think you state it accurately, it was not a bug, becuase it was the intended behavior, it was instead a really stupid design idea probably caused by a lazy designer.

Firefox quirks mode, as implemented in Opera

#ifdef FIREFOX_QUIRKS_MODE
#define CALLED_IN_EVERY_FUNCTION sleep(2)
#else
#define CALLED_IN_EVERY_FUNCTION
#endif