Wind/U

[cso <cso () praxis jsc nasa gov>]

I've been waiting for some discussion on vulnerabilities introduced to
Unix by applications that use various Windows API porting techniques.  
I can't find any, so I guess I'll have to start it myself.

In particular, I'll site Wind/U from Bristol Technology.  We've found
it, or found discussion about it, in some versions of the following
products:

Checkpoint Firewall
MATLAB
Sybase PowerBuilder
Cold Fusion
Multigen
and others

It appears that it's got lots of potential for Windows-like
vulnerabilities.  Here is a quote from
http://www.bristol.com/windu/whitepaper.htm :

"To ensure compatibility with Windows NT, Bristol Technology licenses
Windows source code from Microsoft. The implementation of ActiveX, OLE
and COM within Wind/U was accomplished with 100% Microsoft Windows
source code, and maintains all the functionality found in Windows.
Wind/U also uses Microsoft source code for common controls, common
dialogs, shell, registry editor, resource compiler, WinInet, ATL,
VBScript, WinSock and other GUI and kernel areas of the product."


ActiveX, VBScript, and other components of the Windows APIs have
certainly had their share of vulnerabilities.  One question that comes
to mind is:  how many of these vulnerabilities are being viably
brought to the Unix platform when windu runs there?  In some cases,
the windu daemons may end up running as root, and they appear to
linger after the application that starts them has stopped.

In addition, it appears that the windu components that come with the
application may not be updated until long after Microsoft discovers
and patches its own problems with Windows.  

Has anyone investigated the viability of Windows vulnerabilities in
windu components?  Or perhaps looked at other vulnerabilities
introduced by porting them to the various Unix platforms (buffer
overflows, etc)?

(Note that this may not be limited to Wind/U, there are other similar
products, like MainWin from Mainsoft).

Happy traqing.