Hacker News new | past | comments | ask | show | jobs | submit login

First off, I'd like to thank all the developers who have put their time and effort into building this amazing piece of software.

I have been curious: if ReactOS aims to be binary compatible with windows, does this mean it succeptible to windows malware infections? I understand that despite having a similar API, the ReactOS implementation different from microsoft's implementation, so a vulnerability on Windows won't necessarily be present in ReactOS, but let's say a user infects themselves through a malicious word doc macro that downloads a windows malware exe or dll, can that still cause harm to a reactOS system? Or is some sort of sandbox in place to prevent such attacks?




It's a vague question. Bugs in implementation creating security exploits are usually not going to be replicated on both systems. Applications, including malware, using only the documented API functions should behave identically.

In short: WannaCry should work "properly" on ReactOS in that it will use the crypto APIs to encrypt all of the user's files. It shouldn't propagate itself through the same remote network vulnerability that affected Windows.


100% correct answer!


If you open a virus embedded in an email attachment on ReactOS then, yes, it'll probably work. Viruses are Windows applications like any other.


>yes, it'll probably work. Viruses are Windows applications like any other.

The difference here is documented/support APIs vs other code paths.

This is true so long as the 'application' is using the normal APIs, as soon as an application depends on out-of-contract 'implementation details', which the bugs that are utilized by worms definitely are..., all bets are off.

In short ReactOS is more and more likely to implement the API needed by an app, but that doesn't mean it implements the out-of-API defects that malware depends on. Like anyway software, it probably as its own defects.


> the bugs that are utilized by worms

Which is why I said an email attachment. The average virus relying on user interaction doesn't need bugs.


It doesn't need a code execution bug, but it usually needs some sort of privilege escalation bug.


Simple viruses will just email themselves to all your contacts and steal your banking password, no special privileges are required for that.


But that bug doesn't have to be in Windows. If you can get privilege escalation in a Windows app that the user trusts (hello, Office), then you're in. ReactOS is based on Windows circa XP and doesn't implement UAC, so that vulnerability is wide open.


Not any more than FreeBSD suffers from Linux vulnerabilities


Is that really a fair comparison? A vanilla FreeBSD installation isn't going to be able to just run Linux binaries


Actually, FreeBSD does have that ability. https://www.freebsd.org/doc/handbook/linuxemu.html


Seems like a better example is Linux with wine




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: