Linux vs. Windows viruses: a rebuttal

Pete Sergeant responds to an article by a SecurityFocus columnist, which hints that Linux users really don't need to worry about viruses.

Regarding Linux vs. Windows Viruses:

The single biggest security issue facing Linux users at the moment is the misconception perpetuated by highly vocal advocates that Linux is somehow impenetrable to security-based attacks, and in particular, viruses and other malware.

That SecurityFocus would choose to publish a column designed to perpetuate this myth is a little disappointing, but there you go. What follows is a brief rebuttal of the article.

"None of the Unix or Linux viruses became widespread - most were confined to the laboratory."

Simply untrue. According to F-Secure, the bot-net created by Linux/Slammer reached around 14,000 machines. Compared to the number of infections caused by some Windows worms, this may seem quite small, but this number is by no means trivial. 14,000 machines focused in a DDoS attack against the root name-servers would easily render the net unusable for a majority of Internet users. The reason we have not seen malicious code exploit recent vulnerabilities in other widely-installed open-source applications is pure luck.

"Even worse, Microsoft's email software is able to infect a user's computer when they do something as innocuous as read an email!"

The fact that the author draws attention to this is mildly surprising when he later points out that Mozilla Mail uses Gecko to render HTML email - like all software, Gecko (Mozilla's HTML renderer) has also had its fair share of vulnerabilities which could conceivably be exploited for similar results. Then there were the buffer overflows in mutt, pine and Kmail... Furthermore, the vulnerabilities in Outlook and IE all had patches or work-arounds available for them before exploits for them were included in viruses. The problem here lies with the wetware.

Of course, this doesn't even begin to touch on the whole host of other prevalent open-source projects that have had vulnerabilities, exploitable when a user performs an 'innocuous' action, like the widely installed mpg123, which could be exploited to execute arbitrary code when a user '[did] something as innocuous as' play an mp3.

"Instead of just reading an email (... just reading an email?!?), a Linux user would have to read the email, save the attachment, give the attachment executable permissions, and then run the executable."

It wouldn't be sticking one's neck out too far to suggest that Outlook enables the execution of attachments straight from the mail client due to user-demand. As well noted, software makers aim to give users a hard-work-free environment - to suggest that software developers won't follow suit on Linux is wonderfully disproved by Lindows, as mentioned by the author of the original column.

"Further, due to the strong separation between normal users and the privileged root user, our Linux user would have to be running as root to really do any damage to the system."

This is by far my favourite piece of blindly-repeated propaganda. What's important to users is data. Reinstalling system binaries is as simple as sticking in the CD the system was installed from. Recovering data that hasn't been backed up (and even fewer people make hourly backups than the tiny number of people who actually make nightly backups) is near impossible. The damage caused to your company's reputation when your Apache process starts returning '0wN3D by 1337-H4x0R virII' or viral messages originating from inside your network can be potentially devastating - why do you think the WildList carries a number of anonymous corporate reporters?

"Unfortunately, running as root (or Administrator) is common in the Windows world. In fact, Microsoft is still engaging in this risky behavior."

I can't be the only person who, the first time I installed Linux and had little thought for security, decided I would login as root and stay that way. I can't be the only person who knows dozens of people who have 'sudo' set up to not prompt for a password. And I certainly can't be the only person who reads that, and whose mind turns to sendmail, an exceptionally buggy, insecure and widely-installed UNIX daemon that runs as root.

Wetware is always the weakest link, and both Linux and Windows give wetware enough rope to hang itself. Suggesting that one marginally more 'secure by design' system will stop users from not patching, and not clicking on executables is absurd - propagating the misplaced sense of security many Linux users seem to have is positively criminal.

It's worth mentioning that it doesn't have to be like this. Linux does have an advantage in that it's open-source. However, the security advantages rendered by open-source software are only realized when projects such as OpenBSD use this to their advantage, and perform on-going, pre-emptive security audits of code, and strive for best-practice secure computing. As is all too well demonstrated by Microsoft, as complexity increases, so too does security inevitably become more complicated. By far the best course of action for preventing virus damage is the education of users, not mindless advocacy about how great your operating system is.

Pete Sergeant.

Posted on 06 October 2003 by Virus Bulletin

 Tags

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest posts:

VB2015 paper: Sizing cybercrime: incidents and accidents, hints and allegations

Cybercrime is big. But how big is it really? In a paper presented at VB2015 and together with the presentation video published on our website today, ESET researcher Stephen Cobb looks at previous studies that attempt the size of cybercrime and asks…

Throwback Thursday: The Thin Blue Line

This Throwback Thursday, VB heads back to 1994 when UK Fraud Squad detectives started making inroads into the most puzzling 'Whodunnit' since the Great Train Robbery. Had an outbreak of computer crime swept Britain? No, it was all part of a police…

Welcome to virusbulletin.com

Almost 20 years after Virus Bulletin revealed its first site on the "world wide web", we've redesigned our whole website. And we have a new domain as well.

VB2015 video: TurlaSat: The Fault in our Stars

In a presentation at VB2015 in Prague, Kaspersky Lab researcher Kurt Baumgartner talked about Turla's extraplanetary activities: the malware used (and abused) satellite Internet connections for command and control communication.

Security vendors should embrace those hunting bugs in their products

When interviewed by the Risky Business podcast last week, VB Editor Martijn Grooten talked about the security of security products and said that many vendors are embracing the work done by Tavis Ormandy and others - as they should.