WINE Still Vulnerable to WMF Exploit

blast3r wrote to mention a ZDNet Blog posting by George Ou, stating that WINE is still vulnerable to the WMF flaw. From the article: "All applications launched inside Wine, Cedega, or Cross-Over Office are technically still exploitable. Wine runs on most x86 platforms, including Linux and the various BSDs. The surprising part about finding this flaw in Wine is that they implemented the entire Meta File API without realizing that this could be a security issue. Exploiting a Windows application running inside Wine depends on that application calling the vulnerable function with malicious data."

Finally!

[A beautiful mind]

We can say now that Linux is truly ready for desktop because it catched up to Windows in these important features aswell!

I had no idea...

[MichaelSmith]

...that wine provided so much of the normal windows user experience. I must start recommending it to my friends

Uh, oh . . . somebody had better notify CERT.

[mmell]

So that they can add it to their already lengthy list of known LINUX exploits!

That's just wrong...

[John3]

So in this situaion, Windows systems updated with the most recent patch are more secure than machines running WINE.

TGIF cause stuff like this makes my head hurt.

Perfect emulation

[miscz]

This shows how great Wine is. It even emulates exploits and being late with the patches! Hurray for Wine!

Re:I don't understand

[A beautiful mind]

"/* Heavy wizardry */"

(If you know Perl, you'll understand)

Not impressed

[Anonymous Coward]

Until I can get my Linux box rootkitted by Sony DRM.

Re:Kudos to WINE

[Afecks]

On a serious note, I wonder what this means for emulation projects. If you recognize an exploit in the original environment (as possibly someone did when writing a WMF parser for WINE), do you implement the exploit in your emulator or do you introduce a potential incompatibility?

WINE IS NOT AN EMULATOR!

License?

[John3]

What is this license you speak of and why would I need one for software?

Well, there you go...

[stinky wizzleteats]

All applications launched inside Wine, Cedega, or Cross-Over Office are technically still exploitable

That's 3 Unix/Linux vulnerabilities to 1 for Windows. Windows is more secure.

The traditional "joke", with a twist?

[Jugalator]

For WINE users, here's a patch [microsoft.com].

Wow, I could never imagine this time would come, after all those here's a patch [mozilla.com] jokes!

My favorite review of this subject...

[jeremy_white]

...is on Newsforge [newsforge.com].

Makes sense to me...

[sd_diamond]

I know that excessive use of Wine usually makes me insecure.

Re:slashdot design ...

[6Yankee]

slashdot design looks strange today

You just want me to commit a felony by refreshing it to see if I see what you see, don't you?

Re:Peer review of "many eyes" should've caught thi

[NullProg]

But the facts are that the original design was made pre-Win3.0, long before the rise of the internet as we know it today. It's not surprising that the design flaw arose in that environment, and the design was used to deal with the hodge-podge of various printer behaviors from those days. And I don't particularly blame the actual handful of Wine devs that implemented the "whole API" and therefore inherited this design flaw.
Are you being smug or are you trolling on purpose? There was no pre-Win3.0 gdi32.dll. There was no hodge-podge of printer support. They all printed to LPT1 with thier own escape-codes that the software developers implemented. I print to my year old Samsung laser using my twenty year old AppleWorks. You do know that WINE can use its own built-in DLLs or Win32 native DLLs, don't you? I can switch Wine to use the Gdi32.dll that Microsoft just provided for free.

This flaw was staring the OSS community right in the face for all this time, yet the OSS community failed to find it.

I don't think the Wine Developers are looking for flaws. Most of us use Wine to play Windows Games. In what aspect is my WINE/Linux environment compromised by this Microsoft flaw? There is no kernel to infect. Are the rootkit trojans going to infect my Starcraft session and turn the Zerg into lemmings? Are you mentally challedged?

We appreciate that you like Windows, stay there. When your ready to switch to a environment that doesn't believe that you owe a fee every three years and that you own your own stuff, let us know.

Enjoy.