WINE Still Vulnerable to WMF Exploit 240
blast3r wrote to mention a ZDNet Blog posting by George Ou, stating that WINE is still vulnerable to the WMF flaw. From the article: "All applications launched inside Wine, Cedega, or Cross-Over Office are technically still exploitable. Wine runs on most x86 platforms, including Linux and the various BSDs. The surprising part about finding this flaw in Wine is that they implemented the entire Meta File API without realizing that this could be a security issue. Exploiting a Windows application running inside Wine depends on that application calling the vulnerable function with malicious data."
Finally! (Score:4, Funny)
I had no idea... (Score:5, Funny)
...that wine provided so much of the normal windows user experience. I must start recommending it to my friends
So... (Score:5, Interesting)
How far can someone get by working over WINE with this exploit?
Re:So... (Score:4, Interesting)
Re:So... (Score:2)
and if the user ever uses su/unrestricted sudo then they could get root by laying a trap.
Uh, oh . . . somebody had better notify CERT. (Score:3, Funny)
Re:Uh, oh . . . somebody had better notify CERT. (Score:3, Insightful)
Kudos to WINE (Score:5, Interesting)
On a serious note, I wonder what this means for emulation projects. If you recognize an exploit in the original environment (as possibly someone did when writing a WMF parser for WINE), do you implement the exploit in your emulator or do you introduce a potential incompatibility?
Re:Kudos to WINE (Score:2)
I would also guess that it's quite uncommon that the same exploting code actually works, as many addresses will be different from a normal XP system. The same vector, i.e. a malformed WMF file resuling in a call to the abort proc of choice, is still possible, though.
Re:Kudos to WINE (Score:5, Funny)
WINE IS NOT AN EMULATOR!
Re:Kudos to WINE (Score:2)
Re:Kudos to WINE (Score:2)
I hear quite often how WINE is merely an implementation of the Win32 APIs, etc, but this begs one question:
If Microsoft made some error in implementing their own Win32 API, i.e. not to the correct specification, would the WINE developers implement the Win32 API as it 'should be' (thus breaking applications that use it), or would they 'emulate' the broken code? I have a distinct feeling that it'd be the latter.
Re:Kudos to WINE (Score:2)
According to Microsoft, if such a situation were to arise, the specification would be in error. Where differences exist between Microsoft's documentation and Microsoft's implementation, the implementation is correct. (At least in released code.)
Re:Kudos to WINE (Score:3, Informative)
Too bad that doesn't describe WINE. WINE is a run-time linker with a set of bundled libraries designed to be API compatible with the core Windows libraries. Absolutely NO emulation is happening.
Now there is a WINE for OS X project going on that uses QEmu (or was it bochs? I forget) to do actual emulation of the x86 instruction
Re:Kudos to WINE (Score:2)
1 Effort or ambition to equal or surpass another. 2 Imitation of another.
verb try to equal or surpass, typically by imitation.
to copy something achieved by someone else and try to do it as well as they have
3 a : IMITATION b : the use of or technique of using an emulator
1 : one that emulates 2 : hardware or software that permits programs written for one compute
Re:Kudos to WINE (Score:3, Informative)
Re:Kudos to WINE (Score:2)
http://www.answers.com/snafu [answers.com]
Re:Kudos to WINE (Score:3, Insightful)
In the technical terminology of Computer Science, an emulator is some system which intentionally behaves like some other system. From a technical perspective, it doesn't matter at all if you are emulating hardware or software... conceptually, it's all the same thing.
The people who argue "Wine is not an emulator" are incorrectly using "emulator" as an abbreviation "hardware emulator", since that was the first place the
Re:Kudos to WINE (Score:3, Insightful)
"designed to mimmick the behaviour of another piece of hardware or software in order to achieve the same functionality"
What's the difference?
Aren't the libraries bundled with WINE written to mimmick the responses of the equivalent Windows APIs? Sounds like emulation to me.
The "if your second wife doesn't scream" test (Score:5, Informative)
I've always assumed that they were making the first wife / second wife distinction.
Your second wife may provide all the services that you first wife did ("Please pass the salt" gets the salt handed to you just as before) but that is only an implementation of the same API--it doesn't mean that your second wife is "emulating" your first wife.
If, on the other hand, your second wife discovers that your first wife used to have some bizarre behaviour (say, she would occasionally wake up screaming "Now Dasher! now, Dancer! now Prancer and Vixen! On, Comet! on, Cupid!" etc. in an overly excited voice even when it was nowhere near christmas) and your second wife decided to start doing it too solely because it's what your first wife did, that would be emulation.
To give a less whimsical example: a browser such as Opera isn't "emulating" Firefox just because they both render HTML, support javascript, etc. Only if the Opera folks were to add a "Firefox quirks mode" that also attempted to duplicate all the overt behaviour of Firefox would they be "emulating" it. (And to be "simulating" they would have to be duplicating the overt behaviour by virtue of having in some sense the "same" internal structure.)
-- MarkusQ
Re:Kudos to WINE (Score:5, Interesting)
That said, this story is just a lot of scaremongering from ZDNet. Sure, you could be hacked through this if you run IE in Wine and use it as a general web browser (which I doubt anybody does), but the damage would be limited to the virtual Windows environment which can be blown away and reset in 20 seconds. It's not like the reinstall from scratch job a real Windows would require. Wine also ignores any startup entries software may install.
Still, it should be fixed, probably in the same way that MS did it. And in fact Marcus has already posted a patch that would do this, so I expect it'll be fixed soon enough.
wine OSX (Score:2)
Too bad that leaves us PPC users out in the cold.
Re:Kudos to WINE (Score:2, Insightful)
An emulator is a replimentation, but it is not a mere reimplimentation of something. They are reimplimentations at different levels. Normally it's with parts of hardware mimicked by software.
Wine is at basically the same level as the original Windows...it's a bunch of libraries that have functions in them. These libraries do stuff, and sometimes talk to the OS. (And, in the case of Wine, X.)
Clarification: Wine Is Not a (CPU) Emulator (Score:2, Informative)
I'm pretty sure a more accurate expansion of WINE is: Wine Is Not a (CPU) Emulator. See the Wine FAQ [winehq.org]. As you correctly point out, Wine emulates (implements?) the Windows API, using the native CPU to execute code.
Re:Clarification: Wine Is Not a (CPU) Emulator (Score:2)
Re:Kudos to WINE (Score:3, Insightful)
Re:Kudos to WINE (Score:2, Informative)
Make a copy? (Score:5, Interesting)
Re:Make a copy? (Score:5, Informative)
License? (Score:3, Funny)
That's just wrong... (Score:2, Funny)
TGIF cause stuff like this makes my head hurt.
Re:That's just wrong... (Score:4, Insightful)
How many applications that pass WMFs (ie: email clients and browsers) do you use under linux that require Wine? Now how many do you use under windows that would be potentially exploited?
This is far less serious for Linux users than Windows users.
Re:That's just wrong... (Score:2)
So in this situaion, Windows systems updated with the most recent patch are more secure than machines running WINE.
Possibly in theory, but not likely in practice. I would bet that most people who have Wine installed don't actually even use it. The rest of the people that do use it likely only use it for a handful of specific programs.
Re:That's just wrong... (Score:2)
I think its sad that Microsoft beat open source to a patch. Lets get it together people!
Transmeta Crusoe (Score:5, Informative)
Isn't that the Goal? (Score:3, Interesting)
Perfect emulation (Score:5, Funny)
serious question (Score:3, Interesting)
Re:serious question (Score:3, Insightful)
Re:serious question (Score:2)
This website for example has quite a bit of WMF files. The internet is teeming with them. Oh, you think they have to end in
Thanks for trolling!
Re:serious question (Score:2, Informative)
Get your facts straight or stop feeding the trolls.
Re:serious question (Score:2, Informative)
A WMF file is a very specific file format that contains a list of Windows GDI calls that describe how to draw an image. So obviously, most images on the interweb are not WMF files.
It is possible to make a WMF file that lists the GDI calls to display a GIF/JPG/whatever file, but that still doesn't make the GIF/JPG/whatever files themselves WMF files.
Re:serious question (Score:2, Informative)
I don't understand (Score:5, Interesting)
How does WINE manage to duplicate a flaw in a function that WINE doesn't even implement?
Re:I don't understand (Score:3, Interesting)
Re:I don't understand (Score:2, Informative)
Re:I don't understand (Score:4, Funny)
(If you know Perl, you'll understand)
Re:I don't understand (Score:5, Insightful)
Re:I don't understand (Score:2)
I seem to remember that if you have Windows installed on another partition, WINE can optionally use the original Windows DLLs. Presumably, this is the configuration that is vulnerable.
Re:I don't understand (Score:3, Informative)
Don't get hung up on gdi32.dll or shimgvw.dll or whatever - it's the API itself that WINE implements, not specific DLLs and entry points (although it might provide shim for those for some apps) and that's where the problem is.
Re:I don't understand (Score:2)
http://cvs.winehq.org/cvsweb/wine/dlls/gdi/ [winehq.org]
WTF are you talking about?
Patching WINE? (Score:2)
Re:Patching WINE? (Score:2, Informative)
exactly. to run the "WINE autoupdater" open a console and type the following commands:
export CVSROOT=:pserver:cvs@cvs.winehq.org/home/wine
cvs login
the password is "cvs"
cvs -z 3 checkout wine
cd wine
./configure
make
su
enter root password
killall -s KILL wineserver
make uninstall
make install
exit
cd..
rm -rf wine
wineconfig
that's all! ;-) (the exploit is fixed in the cvs tree)
of course you can make this even more "auto-ish" if you put the a
Immitation is the sincerest form of flattery (Score:5, Insightful)
Wine is Not an Emulator, but it's purpose is to allow all of us in Linuxland to use software developed for Windows. That means that it must replicate even the broken parts.
Luckily, I assume two things:
1. The WINE devs will plug this as soon as they get around to it.
2. Anyone using WINE successfully is probably canny enough to make due until then without getting themselves compromised.
Re:Immitation is the sincerest form of flattery (Score:2, Insightful)
The responsible thing for the WINE developer(s) to do is to tell Microsoft about this serious hole, and not implement it until there is a sufficient need. Even then, it should be enabled only in a "quirks" or bug-compatibility mode, because it is dangerous. I can't believe the developer(s) are being complimented ("speaks highly of them") for quietly implementing a security hole.
Now, I don't think they should be blamed for not realizing the problem (the origina
Actually, not this time (but often other times) (Score:2)
I use Wine extensively in my work, typically to allow corporations with archaic, proprietary software developed for Windows to migrate wholly or partially to Linux. I've found that many applications are poorly coded and end up using strange or broken Windows APIs. They'll use a bug as a feature and rely upon it to function.
Simply put, I rely on the Wine guys to implement every "feature" of Win
Re:yeah right (Score:2)
Ah the joys of having access to both sources... (Score:2)
DEFINITELY not from Microsoft.
Re:yeah right (Score:2)
I will guarentee you that the function in question at the very least is NOT from Microsoft's code.
Re:yeah right (Score:3)
Not impressed (Score:5, Funny)
Why should they realize it's a problem? (Score:5, Insightful)
The surprising part about finding this flaw in Wine is that they implemented the entire Meta File API without realizing that this could be a security issue.
Remember, the goal of WINE is to duplicate the API as exactly as possible. And up until a few days ago, that *was* part of the API.
WINE isn't supposed to be an improvement, just a duplication of the API so that win32 apps can run on x86 *nix. It should be no surprise to anyone that their implementation of the metafile API is exactly like the one in Windows. That's the point.
Re:Why should they realize it's a problem? (Score:2)
Re:Why should they realize it's a problem? (Score:2)
Too bad that's wrong (Score:2)
WINE takes that a step farther, though.. they're trying to implement the undocumented behaviors too. They do this mostly by running known-working windows software and seeing where it breaks in WINE. Where it breaks, this indicates a place where the WINE implementation of the API e
Re:Too bad that's wrong (Score:2)
Re:Too bad that's wrong (Score:3, Informative)
It's more complicated than WMF just being able to call anything inside GDI32.dll. This is demonstrated by the fact that SetAbortProc was never allowed, the way to do it in WMF was using the Escape function, which has an obsolete escape code for adding an abort proc in the context where it makes sense, for printer spooling.
So the
GDI DLL Exploit Method (Score:2, Informative)
http://blogs.securiteam.com/index.php/archives/18
-c0d3r-
Well, there you go... (Score:5, Funny)
That's 3 Unix/Linux vulnerabilities to 1 for Windows. Windows is more secure.
The traditional "joke", with a twist? (Score:5, Funny)
Wow, I could never imagine this time would come, after all those here's a patch [mozilla.com] jokes!
Congrats WINE (Score:2)
*drum hit*
Thank you, thank you, next show at 10!
Cedega is not affected by this exploit (Score:5, Informative)
And Marcus Messier's fix for WineHQ was checked in earlier today. 8-)
-Gav
Re:Cedega is not affected by this exploit (Score:2)
What happend to many eyes? (Score:2)
Here we've got at least two sets of eyes that missed it, not just the folk(s) who wrote the Wine code, but also the one(s) who wrote the original implementation for Windows... and the only time the flaw was discovered in Wine was AFTER the Windows one was... presumably because someone looked to see if Wine was vulnerable as well.
Re:What happend to many eyes? (Score:2)
Hey!! I knew that!! (Score:2)
However, I can't quite shake off the creeping suspicion that I've got something terribly, terribly wrong in my model of the world, though, that I feel I have to point out that I told you so. Please, say it isn't just me!!
Why its not really a BUG, and why WINE has it too (Score:2, Interesting)
A wmf is not a graphics format in a traditional sense, but rather a list of API calls to the GDI libraries that when fired off one after another will recreate an image.
For this reason, saying that the WMF insecurity is a bug, is like saying that the fact that you can make a malicious EXE for wi
Re:Why its not really a BUG, and why WINE has it t (Score:2, Informative)
"Does anyone actually use WMF anyway?"
There are actually some common uses of WMF on windows, but becuase it is a metafile of GDI calls, its not very portable (although it is easy to convert).
Since displaying a WMF is nothing more than enumerating the list into a 'select case' statement (not a very long one either) it is very easy and VERY fast to display on Windows. (Really no processing is required). For this reason, microsoft uses WMF for all the MS Office
Re:Why its not really a BUG, and why WINE has it t (Score:3, Informative)
My favorite review of this subject... (Score:3, Funny)
How long should a fix take? (Score:3, Interesting)
Programming Issue? No way! (Score:3, Informative)
Re:Programming Issue? No way! (Score:2, Insightful)
WMF became obsolete soon, and was forgotten. It's perfectly normal to forget to review code that old, especially if the programme
Re:Programming Issue? No way! (Score:3, Informative)
I agree, it probably should have been taken care of in the interim, but I wouldn't classify it as poor design (for the times).
The thing here is... (Score:5, Insightful)
1.) Did not realize this was a design flaw (most likely).
or
2.) Realized this was a security flaw and have been explioting it since years ago (highly unlikely).
or
3.) Have been urging Microsoft to change the code since they realized (highly unlikely, as well).
The point I am trying to make is that this design flaw was not spotted by the many eyes of the WINE project, showing that even the OSS development model is subject to mistakes.
The intent of this comment is not to say which development model is better, just to point out the fact that ALL development models are subjet to failures, and that our analysis should not be so unidimensional and binary, a thought that seems to be quite lost in this particular thread.
As an aside, if this atack was made public in 12/27/05, and confirmed by Microsoft in 12/28/05, shoudnt have the WINE comunity tested for the flaw, posted a preliminary patch ASAP and then post a definitive patch that mimics the efect off the Microsoft patch? Why to produce the patch just AFTER Microsoft posted theirs, late by the comon wisdom of
My other question our regard a Turing-Complete "Image File Format", Postscript. Given the complexity in Postcript, is it not possible (but most likely harder, since it can not touch Filesystems) to do exploits in it?
Just my two cents
Re:Not that insecure (Score:4, Informative)
Re:Not that insecure (Score:2)
Does this vulnerability allow that?
As it is, only a program which allowed the vulnerability would be affected, as my Cedega gives each program its own fake windows.
correct me if i'm wrong (Score:2)
IT'S FIXED IN THE CVS (Score:5, Informative)
Which changed wine/dlls/gdi/metafile.c from:To:This is first day response.
Bug-for-bug compatibility to the next level (Score:2)
Now the king of compatiblity claims is "'sploit-for-'sploit compatible"!
Re:Mud Wiggle saith (Score:2)
Re:Mud Wiggle saith (Score:2)
I hope the Wine team has a flux capacitor. [microsoft.com]
Re:Mud Wiggle saith (Score:2)
Unless the WINE developers have a time machine and are holding out on the rest of us. Incidentally, that would explain why WINE only runs software designed to run on OSes aged 8 yrs. and older.
Well, pay up. What'd I win?
Re:Mud Wiggle saith (Score:2)
Re:Linix tained by M$ crap. ps3?!?!?! (Score:2)
Maybe he's brain damaged.
Maybe the liquid nitrogen has run out and there's not much mentation left.
Maybe he's nine and he's trying to be cool to impress us.
I'm certainly impressed. I didn't know that our canine colleagues had learned how to use computers.
It's already fixed in CVS anyways (Score:4, Insightful)
Patched, Fixed, Done.
If you RTFA, you'll even see that the very person to report that WINE was flawed the same as Windows submitted a patch to fix the problem along with his notice that it was broken.
THAT is how fast OSS is. The very vulnerability announcement says how to fix it.
Re:It's already fixed in CVS anyways (Score:2)
I'm also accutely aware that Microsoft had to test the patch before releasing it. The issue has always been that they were going to wait until patch Tuesday to release it, and not release it as soon as possible.
Kudos to which ever Senior VP approved us to put it out early.
Re:slashdot design ... (Score:4, Funny)
slashdot design looks strange today
You just want me to commit a felony by refreshing it to see if I see what you see, don't you?
Re:this still could be a problem (Score:2)
Wine took 3 days. And Cedega never had the problem in the first place.
And if I really wanted to be secure, I wouldn't have my home dir mapped anyway, or I'd run Wine as a separate user.
For that matter, this has been p
Re:Peer review of "many eyes" should've caught thi (Score:4, Funny)
Are you being smug or are you trolling on purpose? There was no pre-Win3.0 gdi32.dll. There was no hodge-podge of printer support. They all printed to LPT1 with thier own escape-codes that the software developers implemented. I print to my year old Samsung laser using my twenty year old AppleWorks. You do know that WINE can use its own built-in DLLs or Win32 native DLLs, don't you? I can switch Wine to use the Gdi32.dll that Microsoft just provided for free.
This flaw was staring the OSS community right in the face for all this time, yet the OSS community failed to find it.
I don't think the Wine Developers are looking for flaws. Most of us use Wine to play Windows Games. In what aspect is my WINE/Linux environment compromised by this Microsoft flaw? There is no kernel to infect. Are the rootkit trojans going to infect my Starcraft session and turn the Zerg into lemmings? Are you mentally challedged?
We appreciate that you like Windows, stay there. When your ready to switch to a environment that doesn't believe that you owe a fee every three years and that you own your own stuff, let us know.
Enjoy.