[Wine] wine and security - lockdown suggestions

mrmedia wineforum-user at winehq.org
Tue Apr 10 07:44:06 CDT 2012 

I only run one piece of software under wine but this app is still a great risk.
The intentions and opportunity of software developers not using open source should not be underestimated.

when i run 
env WINEPREFIX="/ubuntu/PC1/.wine" wine  C:\\windows\\system32\\taskmgr.exe

I am reminded again of all the security problems with windows. 
I was thinking that it ought to be easier to secure wine since it is a cut down version. 

Areas I can would guess that COULD  be addressed are : 

1) Have a custom pluginplay - ie pluginplay with a wrapper so that everytime it is called a msgbox pops up ( I worry that these pluginplay packets get through the router and expose the OS to remote devices).

2) A way to lock down "services" - so that there are no new ones past a certain point.  And/or new services are on 'alert'.

3) Have a windows registry lock - or organise a bat to always restore a trusted registry file every startup. 

4) Have greater control over svchost.exe. Same wrapper idea, or alerts or ?????? maybe byte size checking to prevent replacements. 

5) Allow a way to have wine block port80 - in a scenario where the software you do run can get by with port 443 only. 
i.e. small open source firewall that is rootkit proof.
Or a firewall that filters both the app and port.

6) rootkit detector  - linux built but wine targeted

7) virus detection - again linux built but wine targeted

8) a surefire way and FAQ's on running vulnerability scans - BackTrack, Knoppix STD,  
etc .http://wirelessdefence.org/Contents/WirelessDistros.htm 
http://www.darknet.org.uk/2006/03/10-best-security-live-cd-distros-pen-test-forensics-recovery/
http://www.serverwatch.com/server-trends/10-secure-linux-distributions-you-need-know-about.html 

9) windows registry improvements 
e.g. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect

Granted it is likely that Microsoft ensured that these security risks could not be completely erased. And engineered in vulnerabilities to suit their interests.
So the idea of wrapper dll's may not be feasible, but I'm hoping that vulnerabilities can be identified so that some albeit slow progress can be made.

More information about the wine-users mailing list