Linux/BSD still exposed to WMF exploit through WINE!
Summary: I just received an email from the creator of the original proof-of-concept WMF exploit code that WINE was still vulnerable to the WMF exploit.
While news of Microsoft's official patch for the WMF exploit reaches the web, I just received an email from H D Moore (founder of the metasploit project and creator of the original proof-of-concept WMF exploit code) that WINE was still vulnerable to the WMF exploit. He was kind enough to even include a sample of the updated proof-of-concept and had this to say:
H D Moore:
All applications launched inside Wine, Cedega, or Cross-Over Office are technically still exploitable. Wine runs on most x86 platforms, including Linux and the various BSDs. The surprising part about finding this flaw in Wine is that they implemented the entire Meta File API without realizing that this could be a security issue. Exploiting a Windows application running inside Wine depends on that application calling the vulnerable function with malicious data. The most feasible way this could happen is via a malicious WMF file embedded into a Word document, opened in Microsoft Office and running under Cross-Over Office.Marcus Meissner (meissner@suse.de) contacted the Wine development team and sent them a patch to fix this flaw.
More from H D Moore:
Successful exploitation could result in either Windows or "native" shellcode executing on the system. The nice thing about the Wine environment is that most Metasploit Framework payloads will execute just fine under it. This isn't the first time that a Windows flaw was directly applicable to the Wine environment, but this may be the first time that the flaw was in the operating system itself.
Windows 2000, XP and 2003 users should immediately install the official patch from Microsoft. While it isn't absolutely necessary, it is recommended that you uninstall the unofficial patch first. Note that the unofficial patch required a system restart during installation and un-installation. [Updated 1/6/2006 9:28 AM: Windows XP does require a reboot with the official Microsoft patch. It just didn't require me to reboot because I already had the leaked patch from Microsoft installed] The official patch from Microsoft conveniently does not require a reboot as far as I can tell on Windows XP SP2. Windows 2000 seems to require a reboot after the installation.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Accuracy
It's not up to the WINE team to revise the definition of "Microsoft compatible," only to achieve it.
So this isn't a WINE problem?
Define "problem."
It's a WINE problem in the sense that WINE faithfully implements a flawed specification. Nasty choice, that: either implement bug-for-bug compatibility or compromise the targeted applications.
For those who use WINE (I haven't for some time) the risk is minimized by the rather narrow scope of its use, combined with the "jail" that WINE runs in. Far from a perfect solution, but if you know of a better one by all means suggest it.
Problem? No not really
Everybody knows that windows have more bugs than the rainforrest. So what Linux admin in his right mind would set up WINE without sandboxing it somehow? None, I would hope.
This can be done in several ways, you can chroot it, or you can use the mandatory access control features in Linux to make sure wine can't run non authorized software or access sensitive files. Other things that can be done is to run wine as another user (that owns no files that can be compromised) and give access to whatever files it needs through posix ACLs. If you are really paranoid you can combine the methods, and you have three independent ways of protection that all must be broken.
Second, who runs WINE nowdays, on the serverside there is plenty of software free as well as closed source to chose from. And on the client side, you need to get infected somehow. From what I understand this is spread by visiting malisious websites with IE. But what Linux user would use IE with WINE when he can use much better and more standard compliant browsers natively on Linux.
Better than surf with ie under WINE
Cause most *nix user of curse use Microsoft Office trhow WINE, as everyone know. May the troll be with you. :)
Not very common
As far as I know Cross-Over Office is a Linux solution, so the sandboxing methods described in my previous post would work for Cross-Over as well as for regular WINE.
You need to read beffore commenting
I love how this has been so big a problem when only on windows and how microsft has been blasted. And the usual 'it isnt a problem in (mac or linux)' but when there are issues in them it isnt major or its microsofts fault. Had the WINE developers tested instead of just implementing microsofts code then they could have noted that Support for feature XXX and YYY is not supported due to security conciderations.
Oh Noooooooooooooooooo!
But, still, thanks George for the 'heads up' on WINE.
The Microsoft Patch Requires Reboots
Reboots for Win2K AND XP Pro for me
-Eric
Windows 2003 server needs to reboot also
Ok, I'll correct
Could you correct it?
Fortunately I don't use wine
Actually I'd be interested in knowing what percentage of Linux/Unix desktop users and what percentage of Linux/Unix servers use wine or have it installed. Certainly there's little if any reason for servers to install it, and that's most of your installations right there.
I don't
Just drink it occasionally.
ah hem.
I don't do Linux wine
No Wine Here
Really with Gnome Office, KOffice, OpenOffice all having MS Office compatibility filters the only reason why I can see to use Wine is for games and for making SWF mostly for creating software demos/slideshows/documentation...
After they ported Wink http://www.debugmode.com/wink/ and added the SWF export from OO Presentations I have had almost no use for Wine at all unless you have some heavily specialized apps (None of them Joe Average/Joe Above Average Workstation User would be using anyways).
On a server I can think of no reason at all to install it.
I don't use wine
Don't
SuSE
No wine
This topic by George Ou is without merit. There are a number of software like VMware that runs Linux and Unixes in Windows. Will he count all the so called problem with Linux(thanks to CERT) as Windows vulnerabilities.
George, can you demonstrate with real life situation how WMF problem affects Linux. I think it is a furphy.