WINE Still Vulnerable to WMF Exploit

blast3r wrote to mention a ZDNet Blog posting by George Ou, stating that WINE is still vulnerable to the WMF flaw. From the article: "All applications launched inside Wine, Cedega, or Cross-Over Office are technically still exploitable. Wine runs on most x86 platforms, including Linux and the various BSDs. The surprising part about finding this flaw in Wine is that they implemented the entire Meta File API without realizing that this could be a security issue. Exploiting a Windows application running inside Wine depends on that application calling the vulnerable function with malicious data."

So...

[ImaLamer]

Should I be worried about my Fake Windows security or am I at no risk as long as I don't run "sol.exe" as root?

How far can someone get by working over WINE with this exploit?

Kudos to WINE

[DrXym]

For implementing Win32 so closely that you can actually be infected with Win32 exploits. I suspect that the effects wouldn't be as bad as the real thing though.

On a serious note, I wonder what this means for emulation projects. If you recognize an exploit in the original environment (as possibly someone did when writing a WMF parser for WINE), do you implement the exploit in your emulator or do you introduce a potential incompatibility?

Make a copy?

[vandon]

Can't you just make a copy of the fixed gdi32.dll from a working windows machine?

Isn't that the Goal?

[lordofthechia]

After all, from winehq.org: "Wine has always strived for "bug for bug" compatibility"

serious question

[js3]

does anyone use wmf files?

I don't understand

[overshoot]

The WINE libraries don't even include an equivalent of the DLL that causes the problem for Microsoft.

How does WINE manage to duplicate a flaw in a function that WINE doesn't even implement?

Re:I don't understand

[makomk]

I expect it's like Windows 98 - you can't get infected by websites, but you can get infected by viewing a WMF using some program that uses the Windows API to display them. (For example, most Word clipart is WMFs, IIRC.)

Re:serious question

[Anonymous Coward]

I used to use it to insert vector images in Word. It was the only real alternative since Word didn't support anything more serious like .ai, .pdf or .eps.

Re:So...

[Craig Davison]

You don't need to be root to send out 1000 spams/minute.

Why its not really a BUG, and why WINE has it too

[XMilkProject]

It's been a while since I've written any WMF software, but if I remember correctly, the problem here is with the general principle of a WMF, not a bug in any libraries, hence windows and wine both being vulnerable.

A wmf is not a graphics format in a traditional sense, but rather a list of API calls to the GDI libraries that when fired off one after another will recreate an image.

For this reason, saying that the WMF insecurity is a bug, is like saying that the fact that you can make a malicious EXE for windows is a bug also.

I'm not saying it shouldn't be fixed, becuase it is a vulnerability, I'm just trying to shine some light on why similar vulnerabilities exist in WINE.

If I have given an incorrect explanation of WMF, please feel free to comment.

Re:Kudos to WINE

[IamTheRealMike]

FWIW I've spent several years as a Wine developer, and I definitely consider it to be emulation.

That said, this story is just a lot of scaremongering from ZDNet. Sure, you could be hacked through this if you run IE in Wine and use it as a general web browser (which I doubt anybody does), but the damage would be limited to the virtual Windows environment which can be blown away and reset in 20 seconds. It's not like the reinstall from scratch job a real Windows would require. Wine also ignores any startup entries software may install.

Still, it should be fixed, probably in the same way that MS did it. And in fact Marcus has already posted a patch that would do this, so I expect it'll be fixed soon enough.

How long should a fix take?

[MeBot]

Six days after m$ft learned of the vulnerability, we were all yelling that it shouldn't take that long for a fix and thank heavens that open source projects could always churn out fixes so much quicker. Well, the open source wine has now had 3 days. Does that mean that if wine takes another 3 days, then we've proven that open source isn't always faster with fixes?

Re:serious question

[Anonymous Coward]

jpg, gif, and bmp files can not have "wmf headers".

You can make a WMF file that displays a jpg, gif, or bmp, but that's a bit different from the jpg, gif, or bmp having a "wmf header". It's a subtle difference.