Linked by David Adams on Mon 6th Oct 2003 19:34 UTC
Bugs & Viruses It's an oft-repeated maxim that one of the reasons that Windows operating systems are plagued by so many viruses, worms, and security exploits is because they are so popular. Extrapolating on this, many have remarked that if Linux, MacOS, or other OSes become more popular, they will attract the attention of virus writers. That may be true, but the increased attention will not necessarily yield the same quantity of viruses and other exploits, says a Register article. Update: Rebuttal article.
Permalink for comment
To read all comments associated with this story, please click here.
Re: Mike (IP: ---.ecsu.ctstateu.edu)
by drsmithy on Tue 7th Oct 2003 04:13 UTC

Not to bash MS at all, but its products are less secure by design.

Name some *design* features present in other OSes that are lacking Windows. Please remember the difference between *design* and *implementation*.

I can certainly name several *design* features of (most) unix-like OSes that make it less secure than Windows. I can only think of one where unix-like OSes are clearly superior.

With a little effort, one can beef up the security on one a Windows box... the problem is, most Windows users don't really know how to (or even care to, for that matter)...

Which is basically the point the article is trying to deny.

(Just one example, but a good one...) Defaults like automatic logon for on a user with Admin rights... that's just asking for a system to be compromised.

Actually that's a pretty poor example. The only environments where the default auto-login is left enabled will be ones where the people are implicitly trusted - home users and small offices.

I don't know how many people break into your house to install and propogate viruses from your computer, but it hasn't happened to me yet.

Windows platforms have more viruses because
a) it's a more inviting target
b) users are generally less technically able
c) machines are generally being used in less secure environments.

These are all directly related to popularity. The only times this entire article isn't giving ways Linux is less capable and using them to say it is more secure are the times it's actually contradicting itself and admitting Windows' popularity is the main reason it's more vulnerable.

Not to mention the simple factual errors:

"None of the Unix or Linux viruses became widespread - most were confined to the laboratory."

Yes, the Morris Worm wasn't widespread at all, was it ?

"Let's look further at social engineering. Windows software is either executable or not, depending on the file extension. So if a file ends with ".exe" or ".scr", it can be run as a program [...]."

Things like .scr files aren't actually executables in the same sense as .exe files. They are simply automatically passed on to appropriate handlers when "launched" from the shell. Disassociate the handler from the file extension or change the file extension and the vulnerability disappears.
An identical process happens under most other decent GUIs as well and is equally vulnerable.

"Further, due to the strong separation between normal users and the privileged root user, our Linux user would have to be running as root to really do any damage to the system. He could damage his /home directory, but that's about it."

Whilst not factually incorrect, the underlying point is largely moot. Yes, a regular user can only damage their own files, however, this is being somewhat ignorant of the fact that on the typical system the user's files are the only ones they really care about. Not having any of your OS files touched while a virus merrily wipes out 30 gigs of MP3s and the thesis you've just spent 11 months writing is, at best, a pyrric victory.

Not to mention root access isn't necessary to do things like scan the user's home directory for email addresses, send out mass emails and do most other things Windows worms do.

This whole attitude Linux zealots have about how acquiring root privileges is somehow difficult and thus overall vulnerability is somehow greatly reduced is just a wank. Firstly, acquiring root privileges on and end-user system would not be hard. Secondly, they aren't really necessary to wreak the same levels of havoc current Windows worms do.

"Unfortunately, running as root (or Administrator) is common in the Windows world.

[...] with the power to do anything he wants to the computer."

Administrator != root. Acquiring root privileges exposes a system much more than acquiring Administrator privileges. An Administrator *can't* do "anything he wants to the computer", a root user *can*.

"[...] let's examine software design for reasons why Linux (and Mac OS X) is better designed than Microsoft when it comes to email security. Microsoft continually links together its software, often not for technical reasons, but instead for marketing or business development reasons (see the previous link for corroboration). For instance, Outlook Express and Outlook both use the consistently-buggy Internet Explorer to view HTML-based emails."

Using the system's HTML engine to render HTML in other applications *is* good design. It's a textbook example of modularity and code reuse which, last time I checked, were considered good software engineering practices.

"Finally, if there is an attachment, it does not automatically run ... ever."

I'm not aware of any version of Outlook that has defaulted to automatically running attachments by design. They've always required either an exploited coding bug or user interaction - both of which are equally possible on other platforms.