<tehblunderbuss at gmail.com> wrote:
The recent discussion about Windows viruses working through Wine leadsme to questions about its security. I've heard that using a separate user is alright, and then it isn't alright.
You're probably referring to http://www.winehq.org/pipermail/wine-devel/2008-March/063452.html
I was talking about how to make sure your machine is safe when you *on purpose* load malware.
However, it is true that we should tell users that Wine is able to run many Windows malware, and that they should be just as careful running Windows software with Wine as they would running it with Windows. We should also show how to install the standard Linux virus checkers. - Dan
However, it is true that we should tell users that Wine is able to run many Windows malware, and that they should be just as careful running Windows software with Wine as they would running it with Windows. We should also show how to install the standard Linux virus checkers.
- Dan
That thread got very nasty very quickly starting with dmitry's comments and getting almost flameful from contributors after that. Though after continuing testing out malware and known spyware infecting applications, since I had the environment already setup, my opinion of this issue has gone from neutral to very strongly in favor of documenting cases where malware/(and dangerous) spyware cross over. A solution I think would be to tag the applications that fall in to this group with a strong warning in appdb.
A good example I found was the first version of iMesh that included spyware (released in 02) that runs and almost seamlessly installs and runs spyware bundled with it. While not up to date I feel the better bug for bug support that wine obtains with windows the more smaller (and in some cases bigger) software solutions it will run, introducing more bundled vectors - imagine when that purple ape runs under wine!
While I take the comment that it is misguided to catalog issues with virus that work maybe valid I cannot see how ignoring software uneducated windows users consider to be legitimate but still contain spyware/malware can be any less misguided. People will try and run these applications and then blame the wine project when they cause issues with their systems in the same way they do when they load them under windows.
Since there is no source available the windows environment binaries (normally) are far more prone to having malicious software included in legitimate software and there is no escaping that.
Edward
dmitry wrote:
if we are so compatible that we can run virii and spyware, then we need to document it ... otherwise there will be many people disappointed by unrealistic expectations.
Again, I don't see how Wine developers could help with that, we are developers, not a health care department.
We can help in several ways:
1) at the top of our documentation, we can say
"Warning: Wine can run Windows viruses and malware. Always practice safe computing - never run anything from somebody you don't trust, and never run any Windows app you haven't scanned for viruses."
2) we can at least document how to use clamav with wine, or link to clamav and its doc, e.g. http://www.clamav.net/ https://help.ubuntu.com/community/ClamAV
3) we can warn on startup if we detect that clamav is not present.
4) we can try to make it easy to use free virus scanners with wine. Some ideas: http://www.burghardt.pl/2007/11/wine-with-on-access-clamav-scanning/ http://www.christoph-probst.com/soc2006/wine/
It's not enough to provide Wine and throw up our hands saying "It's up to users to protect their systems" because our users are at worst quite literally clueless, and at best too busy to want to bother with virus issues. If we can guide them or ease their way, we should. - Dan
"Dan Kegel" dank@kegel.com wrote:
It's not enough to provide Wine and throw up our hands saying "It's up to users to protect their systems" because our users are at worst quite literally clueless, and at best too busy to want to bother with virus issues. If we can guide them or ease their way, we should.
How other projects that provide cross platform compatibility or even virtual environments to run executables from DOS/Windows/etc. cope with that? Do they provide any information of possible security risks, or they assume that the users of a being run software treat the execution environment same way as an emulated one, and therefore it's fair to assume the same level of awareness/responsibility as an emulated one has? What's so special about Wine that doesn't apply to say VMWare, Parallels, Win4Lin, DOSBox, and others? Probably yes, we could extend the FAQ section about security, but that's almost everything we can do.
dmitry@codeweavers.com wrote:
What's so special about Wine that doesn't apply to say VMWare, Parallels, Win4Lin, DOSBox, and others?
With vmware, parallels, and win4lin, you can actually run commercial virus scanners inside those environments, and everybody knows that one should do that if one cares about viruses.
With DOSBox, well, the target market for that tool is so small compared to Wine it doesn't matter, they're mostly technical users, and there isn't much ms-dos malware being written these days.
So Wine really is different; you can't run commercial virus scanners in it, it's for users who aren't technical enough to be able to find an antivirus solution on their own, and (worst of all) everybody assumes Linux is impervious to viruses.
Probably yes, we could extend the FAQ section about security, but that's almost everything we can do.
I pointed out several other things we could do. Another one is we could make the wine package list clamav as a dependency.
Denying there's a problem, or that we can do anything about it, might lead to a large number of unhappy users. - Dan
"Dan Kegel" dank@kegel.com wrote:
What's so special about Wine that doesn't apply to say VMWare, Parallels, Win4Lin, DOSBox, and others?
With vmware, parallels, and win4lin, you can actually run commercial virus scanners inside those environments,
Is it really necessary to require running a virus scanner from inside of Wine?
and everybody knows that one should do that if one cares about viruses.
Same sentence applies to Wine I'd assume.
With DOSBox, well, the target market for that tool is so small compared to Wine it doesn't matter, they're mostly technical users, and there isn't much ms-dos malware being written these days.
There are thousands of existing DOS viruses, it doesn't matter that nobody writes new ones anymore, there are plenty of them already.
So Wine really is different; you can't run commercial virus scanners in it,
It's still possible to run a native virus scanner outside of Wine. Wine is just a part of underlying system, not a separate environment.
it's for users who aren't technical enough to be able to find an antivirus solution on their own,
That's not different from other environments providing DOS/Windows compatibility.
and (worst of all) everybody assumes Linux is impervious to viruses.
I already answered to this one.
Probably yes, we could extend the FAQ section about security, but that's almost everything we can do.
I pointed out several other things we could do. Another one is we could make the wine package list clamav as a dependency.
Denying there's a problem, or that we can do anything about it, might lead to a large number of unhappy users.
Nobody denies that there is a problem, the thing is that personally I don't see why that problem is Wine specific.
dmitry@codeweavers.com wrote:
Is it really necessary to require running a virus scanner from inside of Wine?
No. Hey, cool, we agree on something!
and everybody knows that one should do that if one cares about viruses.
Same sentence applies to Wine I'd assume.
No, because everybody assumes Linux is impervious to viruses. (You say you dealt with this comment, but I must have missed it.)
So Wine really is different; you can't run commercial virus scanners in it,
It's still possible to run a native virus scanner outside of Wine.
Yes. And we need to encourage this, and perhaps hook into it.
Nobody denies that there is a problem, the thing is that personally I don't see why that problem is Wine specific.
Wine increases Linux's attack surface area hugely *and* attracts new users to Linux who are used to computers coming with bundled virus scanners. - Dan
Dmitry Timoshkov wrote:
"Dan Kegel" dank@kegel.com wrote:
What's so special about Wine that doesn't apply to say VMWare, Parallels, Win4Lin, DOSBox, and others?
With vmware, parallels, and win4lin, you can actually run commercial virus scanners inside those environments,
Is it really necessary to require running a virus scanner from inside of Wine?
No, but files should be scanned on Linux/UNIX/MacOSX using a virus scanner like ClamAV. There even is a front end for the Mac.
and everybody knows that one should do that if one cares about viruses.
Same sentence applies to Wine I'd assume.
Viruses depend on the environment. The more APIs that are built, the more likely a virus will be able to run in Wine.
It's still possible to run a native virus scanner outside of Wine. Wine is just a part of underlying system, not a separate environment.
See my comment above. Linux users have to become aware that Wine will make their systems vulnerable to Windows Viruses as well as running Windows Code.
and (worst of all) everybody assumes Linux is impervious to viruses.
I already answered to this one.
Macs are not impervious to viruses, it just is not popular enough and the 'hoops' you have to go through to run a virus are major. However, adding Wine does make Macs vulnerable to Windows viruses (at least some of them).
Probably yes, we could extend the FAQ section about security, but that's almost everything we can do.
I pointed out several other things we could do. Another one is we could make the wine package list clamav as a dependency.
Denying there's a problem, or that we can do anything about it, might lead to a large number of unhappy users.
Nobody denies that there is a problem, the thing is that personally I don't see why that problem is Wine specific.
The problem is that adding Wine to Linux/UNIX/MacOSX opens the system to Windows vulnerabilities unless they are blocked. If we attempt to do this, the project may suffer. So the other alternative is to make Wine users aware that adding this product to their systems may increase the likelyhood they may become infected if they do not practice good computer security habits, like using virus scanners to prevent introduction of viruses to their systems. Even I as a Mac user practice good computer security, and that is because I got burned with a DOS virus on OS/2.
+1 to adding Virus warnings on the Wine FAQ.
James McKenzie
On Sun, Mar 16, 2008 at 7:01 AM, Dan Kegel dank@kegel.com wrote:
- we can at least document how to use clamav with wine,
or link to clamav and its doc, e.g. http://www.clamav.net/ https://help.ubuntu.com/community/ClamAV
- we can warn on startup if we detect that clamav
is not present.
- we can try to make it easy to use free virus scanners
with wine. Some ideas: http://www.burghardt.pl/2007/11/wine-with-on-access-clamav-scanning/ http://www.christoph-probst.com/soc2006/wine/
What about working with Linux distros to set up proper SELinux / AppArmor profiles for Wine?
Lei Zhang wrote:
On Sun, Mar 16, 2008 at 7:01 AM, Dan Kegel dank@kegel.com wrote:
- we can at least document how to use clamav with wine,
or link to clamav and its doc, e.g. http://www.clamav.net/ https://help.ubuntu.com/community/ClamAV
- we can warn on startup if we detect that clamav
is not present.
- we can try to make it easy to use free virus scanners
with wine. Some ideas: http://www.burghardt.pl/2007/11/wine-with-on-access-clamav-scanning/ http://www.christoph-probst.com/soc2006/wine/
What about working with Linux distros to set up proper SELinux / AppArmor profiles for Wine?
Lei:
That would be fine, but what about the other UNIXes and MacOSX? I don't want to attempt a test to see if a Windows virus will affect my Mac. Again, we have to make our user base aware that Windows viruses will run under Wine and that the results can be disasterous. They should practice good computer security, to include scanning any and all files before using them with Wine.
James McKenzie
-
Dan Kegel -
Dmitry Timoshkov -
Edward Savage -
James McKenzie -
Lei Zhang -
TheBlunderbuss