Linux vs. Windows viruses: a rebuttal

Posted by   Virus Bulletin on   Oct 6, 2003

Pete Sergeant responds to an article by a SecurityFocus columnist, which hints that Linux users really don't need to worry about viruses.

Regarding Linux vs. Windows Viruses:

The single biggest security issue facing Linux users at the moment is the misconception perpetuated by highly vocal advocates that Linux is somehow impenetrable to security-based attacks, and in particular, viruses and other malware.

That SecurityFocus would choose to publish a column designed to perpetuate this myth is a little disappointing, but there you go. What follows is a brief rebuttal of the article.

"None of the Unix or Linux viruses became widespread - most were confined to the laboratory."

Simply untrue. According to F-Secure, the bot-net created by Linux/Slammer reached around 14,000 machines. Compared to the number of infections caused by some Windows worms, this may seem quite small, but this number is by no means trivial. 14,000 machines focused in a DDoS attack against the root name-servers would easily render the net unusable for a majority of Internet users. The reason we have not seen malicious code exploit recent vulnerabilities in other widely-installed open-source applications is pure luck.

"Even worse, Microsoft's email software is able to infect a user's computer when they do something as innocuous as read an email!"

The fact that the author draws attention to this is mildly surprising when he later points out that Mozilla Mail uses Gecko to render HTML email - like all software, Gecko (Mozilla's HTML renderer) has also had its fair share of vulnerabilities which could conceivably be exploited for similar results. Then there were the buffer overflows in mutt, pine and Kmail... Furthermore, the vulnerabilities in Outlook and IE all had patches or work-arounds available for them before exploits for them were included in viruses. The problem here lies with the wetware.

Of course, this doesn't even begin to touch on the whole host of other prevalent open-source projects that have had vulnerabilities, exploitable when a user performs an 'innocuous' action, like the widely installed mpg123, which could be exploited to execute arbitrary code when a user '[did] something as innocuous as' play an mp3.

"Instead of just reading an email (... just reading an email?!?), a Linux user would have to read the email, save the attachment, give the attachment executable permissions, and then run the executable."

It wouldn't be sticking one's neck out too far to suggest that Outlook enables the execution of attachments straight from the mail client due to user-demand. As well noted, software makers aim to give users a hard-work-free environment - to suggest that software developers won't follow suit on Linux is wonderfully disproved by Lindows, as mentioned by the author of the original column.

"Further, due to the strong separation between normal users and the privileged root user, our Linux user would have to be running as root to really do any damage to the system."

This is by far my favourite piece of blindly-repeated propaganda. What's important to users is data. Reinstalling system binaries is as simple as sticking in the CD the system was installed from. Recovering data that hasn't been backed up (and even fewer people make hourly backups than the tiny number of people who actually make nightly backups) is near impossible. The damage caused to your company's reputation when your Apache process starts returning '0wN3D by 1337-H4x0R virII' or viral messages originating from inside your network can be potentially devastating - why do you think the WildList carries a number of anonymous corporate reporters?

"Unfortunately, running as root (or Administrator) is common in the Windows world. In fact, Microsoft is still engaging in this risky behavior."

I can't be the only person who, the first time I installed Linux and had little thought for security, decided I would login as root and stay that way. I can't be the only person who knows dozens of people who have 'sudo' set up to not prompt for a password. And I certainly can't be the only person who reads that, and whose mind turns to sendmail, an exceptionally buggy, insecure and widely-installed UNIX daemon that runs as root.

Wetware is always the weakest link, and both Linux and Windows give wetware enough rope to hang itself. Suggesting that one marginally more 'secure by design' system will stop users from not patching, and not clicking on executables is absurd - propagating the misplaced sense of security many Linux users seem to have is positively criminal.

It's worth mentioning that it doesn't have to be like this. Linux does have an advantage in that it's open-source. However, the security advantages rendered by open-source software are only realized when projects such as OpenBSD use this to their advantage, and perform on-going, pre-emptive security audits of code, and strive for best-practice secure computing. As is all too well demonstrated by Microsoft, as complexity increases, so too does security inevitably become more complicated. By far the best course of action for preventing virus damage is the education of users, not mindless advocacy about how great your operating system is.

Pete Sergeant.

Posted on 06 October 2003 by Virus Bulletin




Latest posts:

WannaCry shows we need to understand why organizations don't patch

Perhaps the question we should be asking about WannaCry is not "why do so many organizations allow unpatched machines to exist on their networks?" but "why doesn't patching work reasonably well most of the time?"

Modern security software is not necessarily powerless against threats like WannaCry

The WannaCry ransomware has affected many organisations around the world, making it probably the worst and most damaging of its kind. But modern security is not necessarily powerless against such threats.

Throwback Thursday: CARO: A personal view

This week sees the 11th International CARO Workshop taking place in Krakow, Poland – a prestigious annual meeting of anti-malware and security experts. As a founding member of CARO, Fridrik Skulason was well placed, in August 1994, to shed some light…

VB2016 paper: Uncovering the secrets of malvertising

Malicious advertising, a.k.a. malvertising, has evolved tremendously over the past few years to take a central place in some of today’s largest web-based attacks. It is by far the tool of choice for attackers to reach the masses but also to target…

Throwback Thursday: Tools of the DDoS Trade

As DDoS attacks become costlier to fix and continue to increase in both number and diversity, we turn back the clock to 2000, when Aleksander Czarnowski took a look at the DDoS tools of the day.