Wine securityflaw.

Peter Andersson kanelballe at
Sat Oct 26 20:00:45 CDT 2002

Hello again,

(FYI, I took the liberty to change the topic since I started the 
former thread "How is Win/Dos syscalls implemented in Wine?" 
which I feel has gone a little bit off-topic)

I had some more thoughts on the issue...

I believe most wine users trust wine not to touch anything outside of 
its configured drive space. Malicious Linux/Unix syscalls could be embedded
in windows apps and if executed  do a great deal of damage. After all checking
your app is run whithin Wine is not that hard (reading registry settings for
instance). Lets call such an malicious app a wine-virus from  now on. 
At present a wine-virus would even be allowed to fork itself, leaving the wine
environment and continue to run even after you shutdown the wineserver,  and
in some cases even after the user logs out. The virus would now have full 
access to the system whithin the users permission, doing much greater
damage than you expected. 

The question is...Would you expect that damage from running a windows app
in wine, when you know it could be safely run in Windows?
In just a few embedded bytes in the code it could remove your home directory 
in a single syscall. Would you expect that? - I wouldnt.

I really love the idea of Wine, and the fact that its working  good and rather 
stable now does mean its gaining popularity and a broader user base,
which further IMHO accelerates the wine movement. 
If wine users were aware of the risks of using wine at present, I believe wine 
would be used more cautiously.

Cant we atleast try implement some protection in wine against these attacks,
before something really nasty happens. I do think company policy decissions
againt using wine, will do just as much damage to the wine movement as too
the free software movement at large. 
I would, despite my current lack of knowledge, gladly offer my help. But I 
hope someone more experienced would take the lead.

Best Regards,

Peter Andersson

More information about the wine-users mailing list