Wine Security Disclosure

James McKenzie jjmckenzie51 at sprintpcs.com
Sun Mar 16 20:01:58 CDT 2008 

Dmitry Timoshkov wrote:
> "Dan Kegel" <dank at kegel.com> wrote:
>
>   
>>>  What's so special about Wine that doesn't apply to say VMWare,
>>>  Parallels, Win4Lin, DOSBox, and others?
>>>       
>> With vmware, parallels, and win4lin, you can actually
>> run commercial virus scanners inside those environments,
>>     
>
> Is it really necessary to require running a virus scanner from
> inside of Wine?
>
>   
No, but files should be scanned on Linux/UNIX/MacOSX using a virus 
scanner like ClamAV.  There even is a front end for the Mac.
>> and everybody knows that one should do that if one
>> cares about viruses.
>>     
>
> Same sentence applies to Wine I'd assume.
>
>   
Viruses depend on the environment.  The more APIs that are built, the 
more likely a virus will be able to run in Wine.
>
> It's still possible to run a native virus scanner outside of Wine.
> Wine is just a part of underlying system, not a separate environment.
>
>   
See my comment above.  Linux users have to become aware that Wine will 
make their systems vulnerable to Windows Viruses as well as running 
Windows Code.
>> and
>> (worst of all) everybody assumes Linux is impervious to viruses.
>>     
>
> I already answered to this one.
>
>   
Macs are not impervious to viruses, it just is not popular enough and 
the 'hoops' you have to go through to run a virus are major.  However, 
adding Wine does make Macs vulnerable to Windows viruses (at least some 
of them). 
>>> Probably yes, we could extend  the FAQ section about
>>> security, but that's almost everything we can do.
>>>       
>> I pointed out several other things we could do.
>> Another one is we could make the wine package list clamav
>> as a dependency.
>>
>> Denying there's a problem, or that we can do anything about it,
>> might lead to a large number of unhappy users.
>>     
>
> Nobody denies that there is a problem, the thing is that personally
> I don't see why that problem is Wine specific.
>
>   

The problem is that adding Wine to Linux/UNIX/MacOSX opens the system to 
Windows vulnerabilities unless they are blocked.  If we attempt to do 
this, the project may suffer.  So the other alternative is to make Wine 
users aware that adding this product to their systems may increase the 
likelyhood they may become infected if they do not practice good 
computer security habits, like using virus scanners to prevent 
introduction of viruses to their systems.  Even I as a Mac user practice 
good computer security, and that is because I got burned with a DOS 
virus on OS/2. 

+1 to adding Virus warnings on the Wine FAQ.

James McKenzie

More information about the wine-devel mailing list