Linked by David Adams on Mon 6th Oct 2003 19:34 UTC
Bugs & Viruses It's an oft-repeated maxim that one of the reasons that Windows operating systems are plagued by so many viruses, worms, and security exploits is because they are so popular. Extrapolating on this, many have remarked that if Linux, MacOS, or other OSes become more popular, they will attract the attention of virus writers. That may be true, but the increased attention will not necessarily yield the same quantity of viruses and other exploits, says a Register article. Update: Rebuttal article.
Permalink for comment
To read all comments associated with this story, please click here.
Re: Great Cthulhu (IP: 209.47.215.---)
by drsmithy on Tue 7th Oct 2003 17:56 UTC

Which is my point: the system is vulnerable by default, and it requires some serious tweaking to make it secure.

No, it isn't. The end user must take deliberate steps to run an executable from a mailer in both OSes. Barring coding bugs, it is not the default and it is not automatic.

It's arguable that allowing the capability at all is bad, but firstly that's getting into "slippery slope" territory (who decides what capability is good or bad), secondly it's not really the issue and thirdly there's a fair chunk of people out there (like me) who think it's a nice option to have.

No it isn't! You don't have to make an attached .exe or .scr executable in Outlook for Windows - you can execute it just by double-clicking on it.

I'm pretty sure an .scr is just a data file and the exploit using it was utilising a buffer overflow in the screensaver code. That's something any handler application is potentially vulnerable to.

With KMail you can't even execute malicious code in HTML mails, a bug which affects some versions of Outlook!

Yes, because kMail has less HTML functionality than Outlook. Again, it's arguable whether this is good, or bad - but I've seen lots of HTML emails out there using fancy things whose creators wouldn't like it much if they suddenly stopped working.

The point I'm making is that whether the end user has to select a different option in a dialog box or run a single shell command is largely semantic - the "hard" part is convincing them to do either.

Stop thinking that all users are idiots.

I don't think users are idiots, I think they make poor choices relating to using computers - and will continue to do so.

Apple isn't really a monopoly, not if you consider "personal computers" as a whole.

Any definition you use to call Microsoft a monopoly, also marks Apple as one.

This is an old and tired argument.

And correct, as well. Have you ever looked at the market definition that was used to call Microsoft as a monopoly ?

The vulnerability of an OS is independant from its popularity.

Perhaps in some academic sense, this might be true. In the real world, the more common an OS is, the more likely it is to be attacked, the more likely it is to be used in riskier scenarios, the more likely attackers will find a weakness and the more attractive target it makes to exploit that weakness.

Either a system is vulnerable, or it isn't.

And this *certainly* isn't true. At least, not for any systems that are available to the general public.

If it's vulnerable but rare, then no one cares. If it's vulnerable and very common, then we have a problem.

Even it's just as vulnerable as the alternatives and ninety-odd times as common, then it's still going to represent a greater proportion of exploited hosts.

What does having "greater functionality" (which overall isn't true anyway) have to do with the fact that it's more common?

Because it's one of the factors that have made it more common.

Windows is more common not because it has more functionality (it doesn't) [...]

It certainly does. The article gives numerous examples thereof.

[...] but because it came preloaded on every PC back in the days of Win95.

If you want to argue that, then you'll need to go back further than Windows 95.

Of course, even then - just as at all times - it's been possible to buy PCs without Windows, or any OS at all.

Windows is popular because it's "good enough" - same reason unix is (in their relevant market circles).

The added "functionality" that does make Windows more vulnerable is that you can run executables that you receive via e-mail without having to set the executable bit.

Or, to play devil's advocate and turn it on its head, the functionality lacking on the unix side is having file attributes carried along with an attached file.

Instead of having to set an executable bit you have to ignore a dialog and change the default option from "Save" to "Execute". How long do you think that's going to hold back the average punter who wants to see some boobies - particularly when instructions are conveniently laid out in the email ?

But the fact is that this does not have any real utility: how often do you need to execute an attachement (not open attached data, which is quite different)?

Within a corporation, I can see some uses.

Not to mention just passing data off to a handler is also potentially dangerous, if the handler is exploitable.

Again you refuse to understand: "monoculture" doesn't make Windows more vulnerable. It just makes any vulnerabilities more dangerous.

Actually, it makes vulnerabilities more likely to be found, exploited and propogated.

Even if we assumed Windows and other OSes are at equal levels of "vulnerability", we'd still expect to see a vast bias towards Windows in terms of actual exploits and damage caused.

Heck, even if we were to swing the other way and assume Windows was half as vulnerable and OS X and Linux, you'd still expect to see a massive bias towards Windows.

Since you seem to misunderstand this, let me find another example. Let's say I have made a breed of cows. For some reason, that breed is quite vulnerable to the flu and will quickly die if exposed. That breed is therefore highly vulnerable. However, I have the only herd in North America. Therefore, even if the flu hits, no more than a couple dozens cows will die. Now let's say that this breed - for whatever reasons - becomes highly popular and becomes the prevalent breed in North America, with 90% of the cows being from that breed. Then the flu hits, and 90% of all cattle in NA die, sending the industry in a crisis. Now, the cows aren't more vulnerable because they've become the dominant breed - in fact, they are as vulnerable, no more, no less, then when I only had a couple of dozen of them. But the impact of their vulnerability is much, much higher because they have become a monoculture, and therefore affect the entire cattle industry and the economy at large.

How about this:
There are many breeds of cow. Some breeds are vulnerable to some viruses, other breeds are vulnerable to different viruses. However, one breed of cow has become dominant, making up 90% of the cows in the country.

Statistically speaking, which breed of cows would you expect to suffer the most casualities do to sickness ? Which breed of cows would you expect to see contract illnesses more often ? Which viruses would you expect to see spread the fasest throughout the bovine population ?

Bear in mind we're working with raw numbers here, not normalised ones.

*You* are the one who doesn't understand. The reason this guy perceives Windows as "more vulnerable" is because it gets exploited more often, exploits spread faster and the damage caused by exploits is greater.

EVEN IF EVERY OS WAS EQUALLY VULNERABLE, YOU WOULD *STILL* EXPECT THIS TO HAPPEN BECAUSE WINDOWS MAKES UP THE VAST MAJORITY OF THE MARKET.

No, he's saying that OS popularity is independent from vulnerability, not the overall damage that can be wrought.

And he is wrong. Commonality is a fundamental aspect. This is inescapable if the metrics being used are not normalised against marketshare and AFAIK, none of them are.