Linux vs. Windows viruses: a rebuttal

Posted by   Virus Bulletin on   Oct 6, 2003

Pete Sergeant responds to an article by a SecurityFocus columnist, which hints that Linux users really don't need to worry about viruses.

Regarding Linux vs. Windows Viruses:

The single biggest security issue facing Linux users at the moment is the misconception perpetuated by highly vocal advocates that Linux is somehow impenetrable to security-based attacks, and in particular, viruses and other malware.

That SecurityFocus would choose to publish a column designed to perpetuate this myth is a little disappointing, but there you go. What follows is a brief rebuttal of the article.

"None of the Unix or Linux viruses became widespread - most were confined to the laboratory."

Simply untrue. According to F-Secure, the bot-net created by Linux/Slammer reached around 14,000 machines. Compared to the number of infections caused by some Windows worms, this may seem quite small, but this number is by no means trivial. 14,000 machines focused in a DDoS attack against the root name-servers would easily render the net unusable for a majority of Internet users. The reason we have not seen malicious code exploit recent vulnerabilities in other widely-installed open-source applications is pure luck.

"Even worse, Microsoft's email software is able to infect a user's computer when they do something as innocuous as read an email!"

The fact that the author draws attention to this is mildly surprising when he later points out that Mozilla Mail uses Gecko to render HTML email - like all software, Gecko (Mozilla's HTML renderer) has also had its fair share of vulnerabilities which could conceivably be exploited for similar results. Then there were the buffer overflows in mutt, pine and Kmail... Furthermore, the vulnerabilities in Outlook and IE all had patches or work-arounds available for them before exploits for them were included in viruses. The problem here lies with the wetware.

Of course, this doesn't even begin to touch on the whole host of other prevalent open-source projects that have had vulnerabilities, exploitable when a user performs an 'innocuous' action, like the widely installed mpg123, which could be exploited to execute arbitrary code when a user '[did] something as innocuous as' play an mp3.

"Instead of just reading an email (... just reading an email?!?), a Linux user would have to read the email, save the attachment, give the attachment executable permissions, and then run the executable."

It wouldn't be sticking one's neck out too far to suggest that Outlook enables the execution of attachments straight from the mail client due to user-demand. As well noted, software makers aim to give users a hard-work-free environment - to suggest that software developers won't follow suit on Linux is wonderfully disproved by Lindows, as mentioned by the author of the original column.

"Further, due to the strong separation between normal users and the privileged root user, our Linux user would have to be running as root to really do any damage to the system."

This is by far my favourite piece of blindly-repeated propaganda. What's important to users is data. Reinstalling system binaries is as simple as sticking in the CD the system was installed from. Recovering data that hasn't been backed up (and even fewer people make hourly backups than the tiny number of people who actually make nightly backups) is near impossible. The damage caused to your company's reputation when your Apache process starts returning '0wN3D by 1337-H4x0R virII' or viral messages originating from inside your network can be potentially devastating - why do you think the WildList carries a number of anonymous corporate reporters?

"Unfortunately, running as root (or Administrator) is common in the Windows world. In fact, Microsoft is still engaging in this risky behavior."

I can't be the only person who, the first time I installed Linux and had little thought for security, decided I would login as root and stay that way. I can't be the only person who knows dozens of people who have 'sudo' set up to not prompt for a password. And I certainly can't be the only person who reads that, and whose mind turns to sendmail, an exceptionally buggy, insecure and widely-installed UNIX daemon that runs as root.

Wetware is always the weakest link, and both Linux and Windows give wetware enough rope to hang itself. Suggesting that one marginally more 'secure by design' system will stop users from not patching, and not clicking on executables is absurd - propagating the misplaced sense of security many Linux users seem to have is positively criminal.

It's worth mentioning that it doesn't have to be like this. Linux does have an advantage in that it's open-source. However, the security advantages rendered by open-source software are only realized when projects such as OpenBSD use this to their advantage, and perform on-going, pre-emptive security audits of code, and strive for best-practice secure computing. As is all too well demonstrated by Microsoft, as complexity increases, so too does security inevitably become more complicated. By far the best course of action for preventing virus damage is the education of users, not mindless advocacy about how great your operating system is.

Pete Sergeant.

Posted on 06 October 2003 by Virus Bulletin




Latest posts:

The SHA-1 hashing algorithm has been 'shattered'

Researchers from Google and CWI Amsterdam have created the first known collision of the SHA-1 hashing algorithm, making a very strong case to ditch it.

Throwback Thursday: Once a researcher...

VB was saddened to learn this week of the passing of one of the pioneers of the AV industry, Ross Greenberg. This Throwback Thursday we look back at an interview with Ross in November 1995.

VB2017: What is happening in the threat landscape and what are we doing against it? Submit a proposal in the VB2017 CFP!

Have you analysed a new online threat? Do you know a new way to defend against such threats? Then submit an abstract in the CFP for VB2017!

VB2016 paper: APT reports and OPSEC evolution, or: these are not the APT reports you are looking for

APT reports are great for gaining an understanding of how advanced attack groups operate - however, they can also provide free QA for the threat actors. Today, we publish a VB2016 paper by Gadi Evron (Cymmetria) and Inbar Raz (Perimeter X), who…

Security for your ears: recommended infosec podcasts

Industry veteran Mikko Hyppönen recently urged would-be security researchers to ditch their favourite pop music and listen to security podcasts on their commute to work instead. Virus Bulletin Editor Martijn Grooten shares his favourite security…