Linux versus Windows viruses

Lloyd D Budd lloyd-fEEwcc3XMu8jODpR/OX0VQ at public.gmane.org
Thu Oct 9 19:08:28 UTC 2003


On Thu, 2003-10-09 at 14:45, Fraser Campbell wrote:
> Hi,
> 
> I'm pretty sure ssomeone recently posted a link to an article on Linux vs. 
> Windows viruses and why Linux is more resistant to these viruses.  Here is an 
> interesting rebuttal:
> 
>     http://www.PivX.com/larholm/articles/Linux_vs._Windows_Viruses.doc
>
> I do believe that Linux is more secure, I do believe that Linux is 
> more securable but there are some valid points on both sides of the
> argument.
There may be some valid points, but they do not seem to be presented in
this article.  This article is actually fairly hideous, and there is noy
way that the author is knowledgeable about Linux -- or maybe he is
choosing to conceal his knowledge.

For those that are interested here is a direct copy of that doc.  There
is no formatting in that doc other than the title being bold.


--------------------------------

                       Linux vs. Windows Viruses

The debate over which Operating System is the most secure is an age-old
debate, which is filled with a vigor and passion similar to those
debating their religious beliefs.  However, in the end it all boils down
to reliable management, adherence to policies and procedures and proper
use. 

In the article "Linux vs. Windows Viruses" by Scott Granneman, his bias
is very clear - Scott feels that "Linux is more secure, end of story!"
That unwritten (although easily discernable) statement is unsupportable
though, given the technical inaccuracies and incorrect statements the
article puts forth.  I would like to take the opportunity to correct
some of his facts . . . err assertions.

Linux as a desktop system faces the exact same issues of worms and
viruses, social engineering and poor design as any system, Microsoft
included.  In fact, I would say that the vast complexity of current
Linux distributions contribute more to the insecurity of an average
desktop user than does the well-defined API of Windows.  There may not
have been as many email viruses that attacked Linux, but let's look at
worms and targeted attacks instead.  To quote Peter S. Tippet in a
recent discussion about this (hope you don't mind Peter), "there have
been more detected worms and attacks on Linux last year than on Windows
- by a factor of more than 2 or 3!"  Now that's an indisputable fact
that should pour some water on Scott Granneman's fire.

Before you start reading ahead, I suggest that you first read the
article in question, which can be found at
http://www.securityfocus.com/columnists/188, and then come back.

First, let's look at the article and some technical misconceptions,
chronologically.

With regard to opening attachments, it is my firm belief that end users
would do so even on Linux systems, if Linux desktop systems ever gained
a noticeable user-base.  In a lot of mail software you just have to save
the file to disk first, in others you have the option to open it
directly - either way, once the virus writer's social engineering has
worked, the rest is details.

Social engineering is no harder on Linux than it is on Windows.  That
much is apparent to most when you consider a scenario of even moderate
Linux desktop reach.

One of the sticky misconceptions about Outlook is that it enables an
email writer to automatically have his executable attachment opened.
That much may be true if you haven't applied any patches for years.  The
possibility of using vulnerabilities in emails to automatically execute
attachments is somehow declared in the article to be restricted for
Windows solely, based on the presence of 5 patches over the last 5
years.  Did anyone bother to look at the number of patches that are
released for Linux browsers and email clients each year?  (More on this
later)

For years, most kinds of email attachments have been automatically
blocked from the user in any default installation of the most popular
Windows mail clients, yet the article claims that this protection can be
easily overridden.  To prove this, it links to a document that explains
how an administrator can disable this feature by changing registry
entries - the equivalent to stating that most Linux file-systems are
insecure because the administrator can change the user's execution
rights.

To very briefly cover executables, there is more involved in determining
the datatype of a file than merely looking at an extension.  Like many
*nix systems, Explorer also relies on the "magic filetype" feature,
scanning the first 256 bytes of the file and comparing it to a database
of fingerprints.

Another popular misconception is that Open-Source projects are
inherently more secure. Granneman repeats this mantra by stating:

"Fortunately, both Mozilla and the KDE Project have excellent records
when it comes to security."

I still remember when Mozilla went from version 1.0 to version 1.0.1, a
very minor version change but it nonetheless fixed 23 separate security
vulnerabilities in the browser and mail client
(http://msgs.securepoint.com/cgi-bin/get/bugtraq0209/162.html ) that
went largely unannounced - and that was just a minor revision.  Last I
checked, Mozilla has had several hundreds, if not more than 1000,
identified security vulnerabilities.  It's hard to tell the precise
number since Bugzilla has such a lousy search interface, but it is
definitely greater by more than a factor of 5 compared to IE (I should
know those numbers).  Mozilla does not have an excellent record when it
comes to security, it just has an excellent record in not being targeted
- and understandably: why bother targeting a browser hardly anybody
uses?  Given that AOL even removed their support of the development
efforts and killed its ommercial offspring, the Netscape browser, I find
it hard to see that situation changing.

It's the same reasoning that makes virus writers rely on having
end-users manually open the attachment, instead of exploiting an
unpatched vulnerability to have it automatically execute - since relying
on the end-user works 98% of the time, why bother so much with the last
few percent ?

The claim that email-clients on Microsoft systems are a monoculture is
quite flawed when you look at the vast selection of clients available on
any Microsoft system, not that different from the offering on Linux.  A
lot of the Linux mail clients are even available in Microsoft flavors.
The fact that Microsoft's own pre-supplied email clients predominate the
Windows landscape should come as no surprise, not as much because it is
Microsoft but because it is pre-supplied as part of the install.  If we
had a comparable amount of Linux desktop users to survey (not the
knowledgeable administrator reading this article who knows how to
compile his own programs), I am pretty sure that we would see the same
picture - most people using the same base set of factory-boxed software,
including browsers and email clients. 

We can already recognize that trend among current Linux distributions,
with a lot of users staying by the factory-supplied Mozilla Mail and
KMail.  Both of these render HTML mails by using their respective
browser engines, a practice which is increasingly discouraged even on
Windows mail clients where it can be disabled, and often is by default,
these days.  We already covered whether Mozilla's HTML engine is more
secure than the IE HTML engine; suffice to say that relying on it to
avoid viruses is mere security through obscurity.

Every OSS supporter claims that the Open-Source community is faster at
patching vulnerabilities.  Sure, they might update the source in the CVS
15 minutes after receiving a report, but how long will it take for that
updated code to actually reach supported applications?  Administrators
and users are wary of updating to the latest unstable beta build, and
for good reasons.  In the case of Mozilla/Netscape, updated code in the
CVS typically took a month, often 2 or 3, to go from nightly/unstable
builds and reach the actually supported product - not much unlike the
timeframe for IE patches.

There is a good reason for the time delay that supported products
enforce, namely quality assurance and regression testing.  In the recent
case of OpenSSH, a vulnerability was discussed on a public mailing list
and within hours OpenSSH 3.7 was released.  Hooray, I hear the many OSS
supporters exclaim, what a quick fix!  Later that day, OpenSSH 3.7.1 was
released to fix a related vulnerability.  By looking at the public CVS
it turns out that not 5 minutes after the changes for 3.7 had been
committed to CVS, another set of changes were committed and not 10
minutes later more was changed, which in the end was bundled and
released as 3.7.1 on that same day - so much for thorough testing.

Another common misconception is that only Windows users use their OS
from their administrator account.  As we have already seen with Lindows,
and as we will see increasingly in the future, end-users are not
knowledgeable enough to know that certain functions of their OS should
be restricted from their reach.  They will want the administrator right,
they want to add and remove programs at will, they want to add new
hardware and have its drivers automatically installed - on a desktop
system, application anarchy is the rule as opposed to the rigid
locked-down feature-set of corporate Linux desktop rollouts.

Even when a Linux desktop system is properly configured with restricted
accounts, there are simply so many local root exploits to pick between
that the point becomes moot.  Does anybody really expect that a desktop
user would be able to more timely apply patches against those local root
vulnerabilities on a Linux desktop system than on a Windows desktop
system?  A lot of desktop users are confused as it is when they
encounter WindowsUpdate, how should we expect them to download files
from ftp mirrors, verify the m5 checksum (you do that on every file,
right?) and compile the updated source code?  The solutions we are
currently seeing such as the semi-automated software update from Red Hat
require subscription, and are increasingly relying on having a specified
set of applications installed on the user's desktop - the very
monoculture which Microsoft is criticized of practicing is working here
in favor of that patch automation process.

To sum it all up, both Windows and Linux desktop systems face the same
security threats, same lack of updates and the same presence of
end-users wanting to see the latest Maria Sharapova pictures and hear
the latest Viking Kittens MP3.  Any initial advantages in security that
Linux desktops may have through a different design are quickly
outweighed by the sheer complexity in maintaining that design.  It is
striking to see that the user/attack ratio is so much higher on Linux,
and unless the large distributions improve and simplify their desktops
in key areas I doubt we will see much of a secure desktop market on
Linux. 

As Scott Granneman puts it, security is not a product, but a process.

--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list