On Monday 23 February 2009 3:58:10 pm Zachary Goldberg wrote:
I disagree on this point. Is malware via Wine on Linux really a problem commonly affecting users? What happened to replicated Window's behavior bug for bug? User X might ask: double clicking an exe works in Windows why shouldn't it in Linux? Why should user X have to go through an extra step to do something on Linux than they would on Windows?
Linux isn't Windows. If anything, I think it would be a good idea to pay more attention to those non-Windows features, such as making Wine refuse to load EXEs and DLLs that aren't +x. A simple security measure, and it cleanly follows the behavior of the host system. IMO, "Windows doesn't do it that way" is not a valid excuse to not do it.
There was a blog post recently that made its way through slashdot exposing a deceptively simple attack vector for trajans on Linux. It revolved around the DE's capability of executing a program/shell script specified in a .desktop file, where neither the .desktop file nor the program being run needed +x. You could simply click on a .desktop file from an email, disguised as a "safe" iamge or text file, and the DE's associations would take care of the rest. The file didn't have to be saved somewhere and manually marked +x.. it opened and ran a program directly from the email.
Is that a good thing to be bringing to Linux/Unix? The capability for users to click on an exe in an email and have it run with no questions, beyond an "Are You Sure?" dialog that they're conditioned to click through? IMO, this is something Wine should try to avoid, even though it's perfectly acceptable in Windows.