Does WINE create a security risk?

Errr, i'm sorry i haven't a clue. I think Wine is pretty safe but maybe not as safe as normal Linux. I thought Wine avoided needing dlls for a lot of things? I'm guessing there's a lot of discussion about all this at
http://www.winehq.org/

Goo dluck and happy hunting
Regards from
Tom :)

Yes, see
http://wiki.winehq.org/FAQ#head-1c91cac836dd52754c846d2ef62be4f346eebe87

People who use Windows web browsers on Linux need antivirus protection.

The risk is a lot lower if you only run one or two Windows apps and never let
them touch anything that comes from the network.

"Even though I don't know the programs or filenames, could I not use the logical directory structure, file count, rough file sizes and compare that against popular programs to guess what is there - thus those programs would give me an attack vector"

If you can access a user's Wine directory, then you can directly see what programs are there. Why would you try to deduce it from DLLs?

OK so obviously I mis-worded this. This has nothing to do with running Windows programs, but whether having predictable binaries (ie - files that don't change) in the encrypted user home folder would provide enough information for an attacker to determine the original encryption key?

My understand is that home directory encryption in Ubuntu 9.04 will be a combination of file level encryption and encryption of the filenames. So instead of one encrypted blob, all files will be in their original folders - it's just the file is encrypted and the folder name is encrypted... effectively making it unaccessible.

So my question was more in the event the user uses Wine - then they will have many DLL/EXEs in their home folder. Those DLL/EXEs will be encrypted. So if I could reasonably guess what DLL/EXEs are in the home folder (which would be easier in a corporate environment due to standard applications and versions), could I not then compare (mathematically) the encrypted DLL to an unencrypted version that I obtained elsewhere to determine the users encryption key? Then use this encryption key to access their private/sensitive data?

I don't know if this is reasonable, but it would seem more efficient than brute force?

I guess from a WINE perspective, if this was at all true, then it would suggest that the WINE prefix should be stored outside the user folder, with only the user modifiable data locally.

But this was more a question for the proposed encryption scheme.

OK So I dug around for a bit. The general commentary I could find was that modern encryption algorithms should protect against "known plaintext attacks".

Malware and Spyware can now infect WINE. If you limit the areas WINE can map you are generally safe. For example only let it map limited parts of your home directory,

As with every windows box, be careful with what you run and you should be OK.

If you do want to find out alot more, and have a discussion with people that can really give you answers head to http://ubuntuforums.org/forumdisplay.php?f=338 and check out some of the wine threads, or make a new one and people will help you out.

Yes I was aware of the risk of Malware/etc. running on WINE. I was more focused on if Windows software such as MS Office (which would represent known "plain text" in the form of DLLs and EXEs) in the home folder would give enough information to break the encryption on the home folder thus allowing someone to decrypt more sensitive information. I took some time to do more reading and believe the general statement is that there is no known plain-text attack against AES encryption (or most modern encryption schemes) although I'm not sure what bounds to place on that statement.

[I'll do more upfront research in the future... I assumed that the people working on the encrypted home dir might have a quick answer but it didn't work out that way this time.]

[this has nothing to do with running that windows software either... it is just "data" that is known and happens to be present in the home folder because that is where WINE put it]

See also http://wiki.winehq.org/SecuringWine