Slashdot Mirror

← Back to Stories (view on slashdot.org)

WINE Still Vulnerable to WMF Exploit

Posted by Zonk on from the patch-up-young-linux-users dept.

blast3r wrote to mention a ZDNet Blog posting by George Ou, stating that WINE is still vulnerable to the WMF flaw. From the article: "All applications launched inside Wine, Cedega, or Cross-Over Office are technically still exploitable. Wine runs on most x86 platforms, including Linux and the various BSDs. The surprising part about finding this flaw in Wine is that they implemented the entire Meta File API without realizing that this could be a security issue. Exploiting a Windows application running inside Wine depends on that application calling the vulnerable function with malicious data."

15 of 240 comments (clear)

  1. Finally! by A+beautiful+mind · · Score: 4, Funny

    We can say now that Linux is truly ready for desktop because it catched up to Windows in these important features aswell!

    --
    It takes a man to suffer ignorance and smile
    Be yourself no matter what they say
  2. I had no idea... by MichaelSmith · · Score: 5, Funny

    ...that wine provided so much of the normal windows user experience. I must start recommending it to my friends

    --
    http://michaelsmith.id.au
  3. Uh, oh . . . somebody had better notify CERT. by mmell · · Score: 3, Funny

    So that they can add it to their already lengthy list of known LINUX exploits!

  4. That's just wrong... by John3 · · Score: 2, Funny

    So in this situaion, Windows systems updated with the most recent patch are more secure than machines running WINE.

    TGIF cause stuff like this makes my head hurt.

    --
    "We make our world significant by the courage of our questions and by the depth of our answers." Carl Sagan
  5. Perfect emulation by miscz · · Score: 5, Funny

    This shows how great Wine is. It even emulates exploits and being late with the patches! Hurray for Wine!

  6. Re:I don't understand by A+beautiful+mind · · Score: 3, Funny

    "/* Heavy wizardry */"

    (If you know Perl, you'll understand)

    --
    It takes a man to suffer ignorance and smile
    Be yourself no matter what they say
  7. Not impressed by Anonymous Coward · · Score: 5, Funny

    Until I can get my Linux box rootkitted by Sony DRM.

  8. Re:Kudos to WINE by Afecks · · Score: 5, Funny

    On a serious note, I wonder what this means for emulation projects. If you recognize an exploit in the original environment (as possibly someone did when writing a WMF parser for WINE), do you implement the exploit in your emulator or do you introduce a potential incompatibility?

    WINE IS NOT AN EMULATOR!

  9. License? by John3 · · Score: 2, Funny

    What is this license you speak of and why would I need one for software?

    --
    "We make our world significant by the courage of our questions and by the depth of our answers." Carl Sagan
  10. Well, there you go... by stinky+wizzleteats · · Score: 5, Funny

    All applications launched inside Wine, Cedega, or Cross-Over Office are technically still exploitable

    That's 3 Unix/Linux vulnerabilities to 1 for Windows. Windows is more secure.

  11. The traditional "joke", with a twist? by Jugalator · · Score: 4, Funny

    For WINE users, here's a patch.

    Wow, I could never imagine this time would come, after all those here's a patch jokes!

    --
    Beware: In C++, your friends can see your privates!
  12. My favorite review of this subject... by jeremy_white · · Score: 2, Funny

    ...is on Newsforge.

  13. Makes sense to me... by sd_diamond · · Score: 1, Funny

    I know that excessive use of Wine usually makes me insecure.

  14. Re:slashdot design ... by 6Yankee · · Score: 3, Funny

    slashdot design looks strange today

    You just want me to commit a felony by refreshing it to see if I see what you see, don't you?

  15. Re:Peer review of "many eyes" should've caught thi by NullProg · · Score: 3, Funny

    But the facts are that the original design was made pre-Win3.0, long before the rise of the internet as we know it today. It's not surprising that the design flaw arose in that environment, and the design was used to deal with the hodge-podge of various printer behaviors from those days. And I don't particularly blame the actual handful of Wine devs that implemented the "whole API" and therefore inherited this design flaw.
    Are you being smug or are you trolling on purpose? There was no pre-Win3.0 gdi32.dll. There was no hodge-podge of printer support. They all printed to LPT1 with thier own escape-codes that the software developers implemented. I print to my year old Samsung laser using my twenty year old AppleWorks. You do know that WINE can use its own built-in DLLs or Win32 native DLLs, don't you? I can switch Wine to use the Gdi32.dll that Microsoft just provided for free.

    This flaw was staring the OSS community right in the face for all this time, yet the OSS community failed to find it.

    I don't think the Wine Developers are looking for flaws. Most of us use Wine to play Windows Games. In what aspect is my WINE/Linux environment compromised by this Microsoft flaw? There is no kernel to infect. Are the rootkit trojans going to infect my Starcraft session and turn the Zerg into lemmings? Are you mentally challedged?

    We appreciate that you like Windows, stay there. When your ready to switch to a environment that doesn't believe that you owe a fee every three years and that you own your own stuff, let us know.

    Enjoy.

    --
    It's just the normal noises in here.