Vulnerability Development mailing list archives
Wind/U
From: cso <cso () praxis jsc nasa gov>
Date: Wed, 6 Mar 2002 08:19:23 -0600 (CST)
I've been waiting for some discussion on vulnerabilities introduced to Unix by applications that use various Windows API porting techniques. I can't find any, so I guess I'll have to start it myself. In particular, I'll site Wind/U from Bristol Technology. We've found it, or found discussion about it, in some versions of the following products: Checkpoint Firewall MATLAB Sybase PowerBuilder Cold Fusion Multigen and others It appears that it's got lots of potential for Windows-like vulnerabilities. Here is a quote from http://www.bristol.com/windu/whitepaper.htm : "To ensure compatibility with Windows NT, Bristol Technology licenses Windows source code from Microsoft. The implementation of ActiveX, OLE and COM within Wind/U was accomplished with 100% Microsoft Windows source code, and maintains all the functionality found in Windows. Wind/U also uses Microsoft source code for common controls, common dialogs, shell, registry editor, resource compiler, WinInet, ATL, VBScript, WinSock and other GUI and kernel areas of the product." ActiveX, VBScript, and other components of the Windows APIs have certainly had their share of vulnerabilities. One question that comes to mind is: how many of these vulnerabilities are being viably brought to the Unix platform when windu runs there? In some cases, the windu daemons may end up running as root, and they appear to linger after the application that starts them has stopped. In addition, it appears that the windu components that come with the application may not be updated until long after Microsoft discovers and patches its own problems with Windows. Has anyone investigated the viability of Windows vulnerabilities in windu components? Or perhaps looked at other vulnerabilities introduced by porting them to the various Unix platforms (buffer overflows, etc)? (Note that this may not be limited to Wind/U, there are other similar products, like MainWin from Mainsoft). Happy traqing.
Current thread:
- Wind/U cso (Mar 06)