Counting viruses is simplistic, but there is evidence that Windows is becoming more resistent, and Linux is becoming more of a target. The report also points out that Apple is becoming vulnerable, “now that it is fielding an operating system [OS X] with embedded Internet protocols and Unix utilities.“. Read the article at ZDNet UK by John McCormick.
Is Linux as Vulnerable as Windows?
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
1) Out of all the virsuses/worms on the Windows platform, how many of them that reached epidemic proporations had a patch been available for weeks, months, or some cases even years beforehand? What would happen to a Linux box if its owner (especially on servers) went without patching it for that long?
2) How widespread would viruses be on Linux if the majority of its ussers were dumb enough to run any and every file that came down the pipe? Yes, I know it would be harder or maybe impossible to do it with an email attachment (so they say), but maybe some other way?
3) Even if you’re not running as root, could not any file with write permission by the user be written to or deleted? So maybe a virus couldn’t trash the system (easily) when not running as root, but how hard would it be for a virus to corrupt users data files, or maybe even your login shell script? How about a shell script that, upon login, reads your Mozilla address book and uses sendmail (or some other SMTP tool) to send mail to everyone in that address book?
Sure, delete the user and create a new one, but how many casual (ie – Lindows) users would know that?
Correct me if I’m wrong but dosen’t “the Aberdeen Group” get lots of money from Microsot? I know there is a group out there like that but I can’t put my finger on if this is the one.
How hard would it be for a virus on linux to pop up a box saying “to do x,y,z, please input your root password” and bam.. the virus has the root permissions now. All computers are vulnerable.. it’s not about that.. it’s about how quickly it can be fixed
Another review of security based entirely on the number of CERT advisories released. Pathetic. Why can’t anyone do a REAL study. I am talking about a random sampling of various users’ boxes and checking to see if they have been compromised. Start with desktops, then workstations, then servers. Measure the severity on some sort of scale based the amount of damage that can be caused. It would looks something like this:
Level 1 Threat:
Control over a single compromised program. Ability to upload malicious code.
Level 2 Threat:
Command-line access, ability to upload and execute malicious as a limited user.
Level 3 Threat:
Rooted in *nix, System privileges in Windows. Ability to view files of all users. Ability to execute malicious code as root, or admin, etc.
This is a fair and objective test. You could figure a pretty good approximation of the number of compromised *nix boxes compared to windows boxes AND judge the severity of infection. This is real world and not based on an honor system like the CERT advisory method.
It would be a lot harder than say, putting a command into the help dialog and formatting the hard drive as a result.
Earth to journalist? Hey, the article is dumb, the Aberdeen Group is a known offender, and we need some Eugenia mockups to make our day better
First I think Lindows uses the root account. Second, almost every single thing I install on Linux requires that I enter the root password. User clicks virus, virus asks for root password, user types it and you are right back at square one.
Don’t blame Linux for what some of its more stupid implementors are doing. Its just a kernel man!
Nothing new all around. Social engineering has been the downfall of many a system, and there’s only so much one can do to protect a user from themself, before you hit the point of dimenishing returns.
nt
Windows is getting better on the security side. Microsoft does get a lot of flak from virii that could have been avoided with timely patching. Of course, the Outlook suff is still a pain. I’ve always wondered, is the VB script that valuable in the e-mail client to be worth so much bad press?
Well, I actually wanted to ask a different question. I’ve heard second-hand that many Windows sysadmins are reluctant to upgrade due to Microsoft’s bad track record in making patched that don’t break working aspects of their products. Could any experienced admins corroborate that? Good stories are always welcome, of course
The answer is: No, Yes, and Could Be!
No, Linux is not as vulnerable as Windows; neither is MacOS.
Most hackers, crackers, and script-kiddies write to get attention and they write for the largest audience, to get the most attention. Why write a virus, worm, or other malicious file to get 10,000 computer users when you can write the same malicious file and get 10,000,000 computer users?
Yes, Linux is as vulnerable as Windows.
There is a false sense of invulnerability in many Linux users. There are probably as many weaknesses in different parts and programs used on Linux as there are on Windows platforms. Linux isn’t worth the bother for the majority of the script-kiddies.
Potentially, Linux will be as vulnerable as Windows is now.
Linux is gaining popularity in the server market and as a desktop platform. As that popularity increases and there are additional millions of Linux users, the script-kiddies will find Linux a tasty target.
The dawn of a new day!! Whoopie!!
Oh give me a break. Throw this kind of crap in the dumpster where it belongs. What a load of rubbish.
In theory, Linux isn’t inherently less vulnerable to viruses and worms than Windows. There is still a user account with complete control over the system. Buffer overflows and format string attacks still occur. Some users are still stupid and will do anything that an email tells them to, if it’s worded right.
But in practice it’s different. Distros ship with potentially dangerous services turned off (this wasn’t always the case, and the Ramen worm which exploited a vulnerability in Red Hat 6.2’s default install taught Linux vendors a lesson). Services can be run in a limited-access sandbox (i.e. chroot, or in User-Mode Linux) or, more often, as a user with no useful privileges and no login shell to use. Intrusion detection systems are available for free. Firewalls are powerful and commonplace. Executing an email attachment requires the user to save it somewhere and manually mark it as executable before running it. Linux application authors, particularly where network access is involved, are not prepared to sacrifice security for convenience. This is a good thing.
Moreover, Linux isn’t anything like a monoculture. An exploit that works on a server running Red Hat 8.0 often won’t work without modification on one running SuSE 8.1 because of differences in package versions, or compiler versions, or simply by having different software installed. Without catering to a wide range of distros and versions of distros, a Linux virus or worm won’t spread very far. An exploit for Win2k often won’t work on NT4 either – but there are so many machines running Win2k that it doesn’t matter. An oft-used complaint about Linux – that distros aren’t particularly compatible with each other – turns into an advantage here.
I have no doubt that virus writers will target Linux more frequently as it becomes more popular, but they’ll have to get significantly cleverer to be successful, and may well have to accept that they won’t get the same kind of global epidemic that Windows viruses and worms are capable of.
Moreover, Linux isn’t anything like a monoculture. An exploit that works on a server running Red Hat 8.0 often won’t work without modification on one running SuSE 8.1 because of differences in package versions, or compiler versions, or simply by having different software installed.
This is very true. Windows is essentially a common platform that comes in a scant number of versions, but Windows has an enormous install base. Contrast this with Linux, which comes in hundreds of flavors, each with a long history of several versions. Combine this with the “tweaker” nature of many Linux users, and virtually every Linux system is a separate entity from the next. Furthermore, consider that Linux runs on a multitude of ISAs, and that many systems will have a custom kernel (and that isn’t even taking into account the sheer number of kernel versions that systems are running) Targeting a worm for Linux systems becomes incredibly difficult.
Of course, this diversity is a double edged sword. It also makes life for developers incredibly difficult as there’s no common Linux platform on which to build applications…
The author states The bottom line is that if a vulnerability leads to intrusions on your network, it’s a problem, and it doesn’t matter whether the vulnerability was a “high” risk or a “low” risk, only whether it cost you time and money to deal with it. (emphasis added) This is hardly true and is even contradictory to points he makes in his own article when he talks about the “need” to create a system to rate the seriousness of viruses.
Low risk problems will inherently cost less to fix. If the two OS’s are subjected to an equal or similar number of threats, yet for one all are serious and the other all are minor, the better choice is obvious.
I think anybody with half a brain realizes that some (if not all) the diversity that Linux currently enjoys will have to go before it can grab the attention of Joe User. At that point, the diversity issue will lessen as the distros and desktop enviroments become more ‘standardized’ to work with each other.
Add to that the fact that the kind of users you will gain by doing this are the same ones who currently do whatever an email tells them to do and who rarely (if ever) patch their system, and you have a recipe for the same shit you’ve seen on Windows all these years.
So those of you who want ‘Linux for the masses’, think about what you are saying – is this really what you want?
As for Linux vendors turning off dangerous services, so too will Windows 2003 Server (or at the very least, IIS) be shipped locked down. Also, it appears that the next version of Outlook will have HTML disabled by defult as well.
I doesn’t matter if how vulnerable linux is. The truth is when a vulnerability is discovered, a new version of the softare is available. There is none of this patching crap.
There are new versions of distrobutions very often, much more often than windows. Each new one with fixes for old vulnurabilities. For the most part admins are good at keeping linux servers up to date. Who knows about most users.
Anyway, I’d like to see anyone hit my gentoo linux with an exploit that is more than a week old. By then I’ve already got an update, if not sooner…
yup… till script kiddie joe’s half-knowledgeable but malicious cousin jake catches a bug in his own personal “code audit” that no one knows about… “owns joo” with it (or whatever those people say these days) and has his way with your oh-so invulnerable system
of course theres not a patch in the works no one knows about it yet but jake and he has NO intention of posting to bugtraq ;o)
As for Linux vendors turning off dangerous services, so too will Windows 2003 Server (or at the very least, IIS) be shipped locked down. Also, it appears that the next version of Outlook will have HTML disabled by defult as well.
This is good news, but it’s a little late in coming.
Well if we’re allowed to talk about the future, I should point out that Linux 2.5’s LSM (Linux Security Module) support will give vendors and sysadmins a way of making remote vulnerabilities all but unexploitable. Modules that plug into the LSM framework will allow the removal of the root user as a concept, and allow vendors/admins to give specific privileges to specific processes (e.g. to bind to a certain port, read certain files and write to their logfile, but their logfile only) and deny everything else, and also deny all privileges to child processes (e.g. a shell that a worm might try to start by injecting code into a process after causing a buffer overflow in it). With such a system in place you might be able to crash a service remotely with a buffer overflow, but you have no chance of gaining a remote shell from that, and thus have no hope of exploiting it.
Which leaves client-side exploits as the only real source of vulnerabilities. Without Outlook, IE and Office and their hare-brained ideas about scripting, there’s a lot less to exploit, although I’m sure people will find a fair few given time. Still, there’s nothing to stop LSM from working here either, developers just have to ensure that apps install with a safe set of privileges so that if (when?) a vulnerability is found, there aren’t enough privileges available to make a worm possible.
If, after all that, worms are still possible, then it’s probably the users who need upgrading.
All OSes are improving their security, that’s how it should be.
If M$ has an update you have to download many, many megabytes to solve the problem, you don’t know how many bugs they correct with all those bits and bytes, but CERT counts it as being one bug…I think you can not produce a reliable number of bugs for M$-systems, since they do not give enough info.
>Most hackers, crackers, and script-kiddies write to get >attention and they write for the largest audience, to get >the most attention. Why write a virus, worm, or other >malicious file to get 10,000 computer users when you can >write the same malicious file and get 10,000,000 computer >users?
>Yes, Linux is as vulnerable as Windows.
>Linux is gaining popularity in the server market and as a >desktop platform. As that popularity increases and there >are additional millions of Linux users, the script->kiddies will find Linux a tasty target.
There is a problem with that, though. In terms of network-connected machines that are always on (servers, routers, etc), the type that script kiddies want to 0wn, there are far more Linux and BSD machines than Windows. Just looking at Apache’s server numbers at netcraft, it is run on twice as many machines as IIS. Except, from stats at attrition.org, IIS servers are exploited by 5 times as much. So, in short, a Linux apache box is a 10th as vulnerable as a Windows IIS box.
Linux boxes are a majority, and finding a good exploit and using it could allow you to effectively attack large sections of the web, with hundreds of major companies and pieces of infrastructure.
Also bear in mind that any script kiddie with half a brain cell is running a unix derivative to begin with, so researching exploits is easier than windows.
Except, that is not happening. List the major Windows issues we’ve had in the last few years… Code Red, Nimda, Slammer (I haven’t seen a single Linux attack affect me, but my router got some serious abuse from this one… When did a Linux exploit last disable all net access for Korea?). Now, on to the subject of mail worms and trojans… We haven’t seen any major Linux ones at all, but for windows, we’ve seen ILoveYou, Klez, Badtrans and dozens of others in the past year or so. Major companies have been crippled, people have lost work totaling billions of dollars in worth.
Linux makes it hard to:
– Create a virus to affect all systems, due to diversity, unlike windows (much like the risk posed by a single virus to wipe out races of animals/plants with asexual reproduction).
– Do any real damage. The most you might do is wipe out a user’s home directory (it just isn’t fun for a script kiddie unless they can 0wn/destroy a box).
– Hook into OS functions to propagate.
The proof is in the pudding. Wait for the next big windows worm…
i think there’s a distinct difference between them.
the author obviously missed this, and talks about viruses as if they were trojans and vice versa.
I am getting tired of all these people claiming successful viruses on linux/*nix are possible:
f*cking write one then will ya?
It would be a sure way to stop de linuxtrolls from posting their “virus is impossible” posts, it would save MS the money for an inquiry like this, no numbskull author would have to make a fool out of himself, ….
write one and be done with it ,or admit you -and most others- can’t (if it’s even feasible)
I know not a single linux user having an antivirus program (xept for some samba servers protecting their window clients), still none of them get in trouble
easy writing crap like that article, where’s the proof?
“Linux makes it hard to:
– Do any real damage. The most you might do is wipe out a user’s home directory (it just isn’t fun for a script kiddie unless they can 0wn/destroy a box).”
Ehem. I’d say that losing all their work would be pretty bad for most people. Even if you have a backup you’re still going to lose the last day’s work, multiply that by all the dekstop users in a fairly large company and you’ve just lost a lot of money in work that has to be repeated..
Sure it won’t crash the system, but it’s bad enough anyway
No, here’s why.
1. Linux doesn’t need to reboot when patches are installed causing downtime.
2. Linux distribution permissions do not allow code to run as root, or overwrite critical system files.
3. Email clients don’t execute attachments.
4. Patches are usually available minutes or hours after the bug is found.
Now, think about this.
Apache is the #1 www server on the Internet, yet there have been few exploits in the last few years.
IIS is the #2 www server on the internet, yet it’s exploited every other week.
It’s not about the largest target market, if it was then Linux would ALREADY have more viruses as there are more people using Windows that dislike Linux than vice versa.
The reasons go on and on and on and on, there’s nothing to debate, the fact is that Windows is inherently insecure. The problem with virus’s and worms are that Windows was not designed with security in mind when every other OS in existance was! Instead of blaming it on market share, fix the damn problem at it’s source!
and never will.
that being said, of course linux will become more of a target.
and as more newbies jump on board, it will become more of a soft target.
ignorant people are targets…whether they are on linux or windows.
it reports all software installed on your machine.
so for this forum, that means pretty much one giant list in the “warez” column for the windows users of this group.
MS’s huge db of mac addresses, ips, & netbios names is growing exponentially.
it will be funny to watch the fireworks when it’s released.
>>Just looking at Apache’s server numbers at netcraft, it is run on twice as many machines as IIS.<<
This is a common misconception, it’s not run on more machines, more websites are hosted on Apache. There’s a difference. I work at a major hosting company. We host using both Apache and IIS. Lets say we pick 300 sites, 200 ran on Apache, 100 on IIS. The apache boxes may be hosting 50 websites on that server. The IIS boxes may be hosting 10 on each server. NetCraft runs their reports and show 200 Apache sites, 100 IIS, people read this and think there are 200 Servers running Apache and 100 running IIS. In reality it 4 servers running Apache and 10 running IIS. Believe me, that’s the way it is. We host over 100,000 sites, 60% Apache, 40% IIS, yet we have twice as many IIS Servers as Apache. It still points to Apache being more popular and being able to handle bigger workloads. I just wanted to clear up this mistake I read way too often when people are trying to compare Apache and IIS. If an attacker wanted to bring down physical machines, yes IIS would be the better target. If they wanted to bring down actual web sites, then you would attack Apache. In the end I don’t think it comes down to who’s more vulnerable, it’s more to do with who’s hated more. I don’t hear of people who hate Unix/Linux, but there are tons of people who hate Microsoft.
So you just *assume* that everyone here has warez on their Windows machines?
wrong again… that may be all its ~easy~ to do…. but ever heard the terms “local exploit” or “privelege escalation”?
care to venture a guess as to what this means?
plus people need to remember viruses are not the same as trojans… are not the same as worms… are not the same as people getting in themselves through holes in software… although all these are related to one or more of the others
is linux ~as~ vulnerable as windows? probably not… is linux inherently “safe” ? NO!
//it will be funny to watch the fireworks when it’s released//
Let ’em release it. I’ve paid for all the software on my system.
It’s that old-fashioned annoyance, called a conscience.
Some folks still have one.
“…is linux inherently “safe” ? NO”
I don’t think anyone claims that linux is 100% safe. But by design linux is safer than windows. This has nothing to do with the number of viruses or trojans available. It has everything to do with how user privileges, file permissions, programs operate.
Linux/Unix have strong file permissions. Most users have write access to a very small, very limited, number of folders. It doesn’t hurt the overall system if your dumbass roommate borrows your computer and gets his home directory destroyed. Just delete his account and make him a new one.
Someone mentioned privilege escalation, yes, this IS sometimes possible through security holes. However, it is just one more hoop a cracker has to jump through to be successful on a linux box.
Let’s fact it, no OS is inherently secure, and once you throw uninformed users into the mix it becomes impossible to actually maintain total security on a system anyway.
Open source isn’t really any more or less secure than closed source (Or did everyone but me read through the entire kernel source code before compiling?). The many eyes theory simply doesn’t work. We take it on trust that the code we dowload and compile won’t do anything too odd to the system, trust of the developers or someone we know who tells us it’s ok.
The VAST majority of people will never look at the source code of their applications. If something goes wrong they’ll go and look for a PATCH to their applications rather than digging into the source and fixing it themselves. This brings you round to trusting not only the original code, but also any patches you apply. These people want to use their computers, not program them.
Now seeing as that’s the case the point of attack may well shift to the source code itself rather than the running systems. Imagine someone managing to plant a trojan in GCC (For those of you that don’t remember, Ken Thompson suggested how to do this with a C compiler a long time ago. http://www.acm.org/classics/sep95/ ) or in Apache, or anything else with a very large number of code lines that has the opportunity at some point in its life to run as root. “Yeah, but someone would see it, it’d be fixed in a week!” I hear the zealots cry. Of course it would, this would explain why sendmail is STILL exploitable.
Back to the question:
Is Linux more secure out of the box than Windows? Yes, but thanks to the UNIX permissions structure, not because of anything originally Linux.
Is Linux secure? No, in that no OS can, or ever will be, totally secure. Remember that trojans and virii were first written on and for UNIX style systems, just because focus has temporarily shifted to Windows doesn’t mean it will never switch back.
**
Hmm, so tell me again why it needs root privileges to draw a pretty box on the screen? …
Symantec has new Windows viruses, trojans listed every half month, and Aberdeen says that in 10 months in 2002 there were no new ones. What a load of crap. But what can you expect from a company sponsored by MS. I do find it very funny that when it comes to a study on Windows and Linux. Windows always comes out on top. TCO is lower on Windows, Windows is more secure. Get serious guys. More MS hot air trying to get everyone to migrate to XP
There’s always more than one way to kill a system. All computers are vunerable to attack. Even good old DOS had it’s share of boot sector virus that were distributed via sneakernet on floppies. Speaking of which, how about a good old fashioned bootsector virus for linux? Or maybe even a rabbit virus. Virii don’t necessarilly have to destroy data, just make the computer unuseable for a period of time.
I’m not the worlds biggest fan of Microsoft, but I’m also not a fan of people who only persue knowledge in order to use it for destruction. Use what you’ve learned to make things better, not for destruction.
Bootsector virii aren’t really a problem for Linux, basically because linux still uses boot recovery disks with a useable kernel on the disk. Even if the virus was able to corrupt the kernel, you boot with your boot-disk and re-write the kernel.
Yes, Linux users are as susceptible to virii as Windows systems. But at worst you lose a user, not the system. As for the virus asking for the root password to trick you into letting it invade the entire system, what system administrator would give the root password to the entire user-base? Stupidity is as much of a threat to system security as the virus.
First you have to get into the box, then you have to become root. Once that’s done you can get into the MBR. That’s all well and fine though because the partition’s superblock is stored in 3,000 locations all I have to do is restore it after I boot from my linux install CD with the following:
linux 1 initrd= root=/dev/hda3
Good luck finding root though. 😉
Some people here are going om about how a trojan could ask you to install it and ask for the root password. Well, you can only protect so much. We try to protect the owner of the computer as much has possible, only falling just short of controlling. Microsoft seem to now think that the only way to make a system secure is to have Palladium or whatever it is called now. (read, MS decides what you can install on your PC).
It is stupid to try to prevent the root from running anything. It increases inconvenience more that it increases security. Besides, what sort of stupidity would have you agree to give a password when you open a email. What would a user expect. Maybe educate the user. A trojan trying to make you install it is different from one that installs itself. A system is secure up to the guy who calls th shots on the system. If that guy allows the trojan in, as opposed to letting itself in, the system has been compromised, but so much for any inherent weakness in it, but because the last line of defence, (a human decision) was faulty. Might as well make more ‘secure’ people. Educate. Educate. Educate.
I think it pointless to argue it all, with linux (a kernel) it very secure, and *nix in general is more secure than Windows. If you want proof, you should just think about your phone and what os those system have in them. MS is getting more secure, but even now you don’t have the option of looking at the code, if you want an example someone trying to plant a trojan in linux software, look at tcpdump. Bad security, wether is be in Linux or Windows is almost always do to laziness or ignorance on the admin/user. However, in many case Windows proves it’s software is flawed.
A real life example is I clean up virii infected system, man the klez was a mess and it was pale in comparison to others. Had the windows systesm impletment secure access policies most of the virrii would get as far as they do, but they don’t have the same style access policies and they suffer. No system is 100% secure, but there really are less secure systems, as far as mass attackes it’s very hard on linux as there is so much diversity.
As far as comprimising a system, it’s harder to compromise a linux system for a vast number of reason, far too many to go into. I switched over due to a torjan, and most windows users take the it won’t happen to me stance. When it does it will be a sad day for you. Right now as we sit here there is virii on the horizon that won’t be so nice. And worms that won’t mimic the kindness the slammer worm did, thank a kind hearted coder for that one it could have been much worse. But don’t sit in your linux realm and feel superior either, as that is cause of most my clean up work. Stupid cocky admins, another thing is Windows get’s exploited more due to windows admins being a dime a dozen and being pushed through certs to are supposed to prove there worthiness, as were *nix admins are more seasoned and tend to care a lot more…
Open Source has some advantage, just cause not everyone goes through it, you would really be suprised at who and how many do and how often, yes even the kernel and larger things like apache are audited more than you think by people who care to fix it. Since you don’t get paid for it you make it better for your use type of strategy.
I agree with the gentoo user, try an crack my system, you have no idea what’s been done to it during compile time or what in it… or whose it really is…
oh by the way that was one of the worst “raw data” report I’ve ever looked at, and screw CERT, step into the real world, there is a good reason why linux gets so much attention and security it a big part of that…