Forrester Research didn’t come out with a single recommendation says eWEEK. Instead, the analyst firm recommends that businesses that value quick patches look to Microsoft and Debian. At the same time Forrester is concerned that Microsoft’s new monthly security policy may delay important fixes.
Linux vs. Windows: Which Is More Secure?
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
This comments section ain’t gonna be pretty…
Overall good and well balanced look at both sides of the fence… I’m forced to agree to an extent that red hat is a pretty security conscience oriented company… I remember when I used RH8 back when it was pretty new and rh used to send out pretty frequent updates through its subscription service… I dual boot between xp and slack myself… They are both pretty good but people need to realize that weekly updates on both.. if they exist are a must! 🙂
For whatever reason, I can’t pull up the article (have they been Slashdotted?) Anyway, here’s a thought:
Many people say that if Linux were more popular, it wouldn’t have the problem with viruses/worms that Windows does because:
a) Harder to run email attachments
b) Most things that could damage the system require root access
In regards to a, I can only wonder if anyone has considered the possibility that there may be a more effective way to spread viruses/worms on Linux than email attachments. For starters, most of the apps are open source and there are a lot of ‘unofficial’ repositories out there. So, rather than trying to get a virus on a user’s system, why not build one right into the program’s source code, recompile it, and PRESTO – instant gratification once the app is installed. All you gotta do is get your app out on some repository somewhere, or get the user to download it from some website … ie, maybe he’s looking for something that isn’t in the apt repository yet, or whatever. Or, maybe you could use some social engineering to get the user to modify his /etc/sources.list file. Assuming they will delete DLL files when told, why not? Also, wonder how much fun you could have with rogue Mozilla/Firefox extensions? Can package managers be exploited in any way? Maybe dicking with a program’s adpt dependencies to go and download something nasty?
As for b, it has been my experience that if something needs root acces, it’ll prompt Joe Sixpack for a password, which he will gleefully type in whenever instructed, especially since people told him that if he moved to Linux, he wouldn’t have a virus problem, so why not? I think typing in the root password in Linux will be the equivalent to running email attachments in Windows.
And speaking of email, if there was a way (through social engineering or whatever) to get user to run an email attachment, some people thing that since there’s no Outlook, there’s no security problem. But, all a program would need to do is use its own SMTP engine and scan the /home directory for files which contain email addresses. That’s what the newer worms in Windows do – they don’t even use the Outlook address book anymore, since newer versions of the program have been patched up the wazoo.
The Author makes very good points about if you install the patch, you are likely going to be pretty secure. Most geeks administrators and power user should know by now, that you can’t always trust any product, whether it be a windows box, or a linux box. Since not everyone can make OpenBSD do what we want to do, we will have to reply on the open-source community, and MS to decide what it deems as an eXploit, or comprimse of a computer systems.
When I do support on computers, I tell the user that even thought I installed a Firewall, Anti-virus, and disable services (Windows) it will not 100% make your machine inpenteratable. I myself practice this, I love to test my hardware firewall, my windows services, and just software in gerneral. I pretty much think, that if people were wanting to spend just a little more on system hardware (Routers) and other computer devices most security would be assured.
Again we can’t just rely on users, I think there should be schools setup to teach users that home computing is different from Office or Corporate computing. Most families now have roughly 2 computers in their homes, and they do not take the time to protect themselves via viruses, Spam, and Group policies. I think in gerneral we are all at risk, they only way to be 99% secure, is to unplug the machine from any access, then again, there is 1% of local hacker (cracker) which makes bandwidth, cost of owernership, and everything associated with costs, much higher.
I think it is wrong to assume that a computer user (n00bie) can do the same as they do at home, and consider themselves as a systems administrator.
I was a systems administrator (out of work right now) but I remember going to peoples machine and them showing how cool Bonzi buddy or Napster is. I then told them about spyware, gerneral illegal activities.. Them proceeded to clean their systems.
But I think for anyone using any OS, whether it be Windows, *BSD, *Nix, and any operating system, you need to practice safe computing to be safe.
— thats my Quarter..
— wil
It makes no mention of versions, I am wondering how Windows 2003 server is doing against 2000 server with vulns in the default install. Since 2003 has most services off by default I am willing to bet it is doing several times better than 2000 or NT4.
It doesn’t matter if you use linux or windows, if you don’t run a firewall you’re dead. The biggest problem with windows are the netbios ports, especially on win9x, some ISPs block these ports but most still don’t unfortunately. On the other hand it’s easier to use a firewall like sygate on windows than something like iptables on linux (which was meant for servers anyway, not desktop use).
This is a horrible comparison between the distros and windows.
First, Mandrake, Redhat, etc… have completly different packages that come with thier systems! (such as the ftp servers, if at all), if it really wanted a SEMI fair comparision it should of tested only kernel exploits between distros and how fast eash distro a patch comes out (The speed would probably be the same, but the percentages would change).
Second, it only says percentages, but dosnt compare the number of exploits. What about MS’s known but unpatched exploits? If one product has 3 times the exploits and the severity of the exploits are much greater (remote root exploit, or local root exploit) it dosnt matter if it takes it 30 days or 50 days for the patch to come out!
Last, the article did not even touch the fact that with exploits in linux, there is disclosure MUCH faster then there ever will be in windows. Compare the case when the Debian server were hacked and they were working together with RH to find the problem. Everything happened in front of the community, in the open source way, while MS can keep a reported exploit from a company quiet until they release a patch.
“…while MS can keep a reported exploit from a company quiet until they release a patch.”
Ignorance is bliss.
If no one knows the exploit is there, then who cares? I don’t see the problem in this at all.
If no one knows the exploit is there, then who cares? I don’t see the problem in this at all.
Nobody… until some hacker find it and begin to exploit it silently. Security through obscurity isn’t much better than no security at all.
Well, just because it isn’t public informationen, it doesn’t mean than a cracker doesn’t know about it.
This is true both of open and closed source software.
What you are saying can been seen as if you or I commit a crime, and just because the police doesn’t know about it, it never happend.
For starters, most of the apps are open source and there are a lot of ‘unofficial’ repositories out there. So, rather than trying to get a virus on a user’s system, why not build one right into the program’s source code, recompile it, and PRESTO – instant gratification once the app is installed.
That’s way you should always check using GPG and download from a know repositories. By the way, you can make the same argument with Windows (shareware); ITS CALLED TROJAN HORSE.
That’s way you should always check using GPG and download from a know repositories.
That’s like telling a Windows user “You should always use Windows Update and don’t open attachments.”
If the security on Linux (or any other OS) is dependent on a user doing what they’re supposed to do, then it is not secure at all. Besides, what the hell is GPG?
By the way, you can make the same argument with Windows (shareware); ITS CALLED TROJAN HORSE.
It seems to me that if the app you’re looking for isn’t in your distro’s repository, you get it wherever you can find it. Contrast that with Windows shareware, which you almost always get directly from the vendor. With the sometimes hapharzard way in which Linux software is distributed (ie – “Joe’s Apt Shack”), it would seem that there is all kinds of opprotunity for abuse. Besides, with Windows closed-source stuff, you don’t have access to the source code, but with open source, you could take an otherwise reputable app and add anything you want to it, including spyware. So in Linux, not only would you need to be concious of what the app is, but also who’s repository you obtained it from.
If no one knows the exploit is there, then who cares? I don’t see the problem in this at all.
Nobody… until some hacker find it and begin to exploit it silently. Security through obscurity isn’t much better than no security at all.
If the hole is unpatched, what difference does it make? I mean, if you’re not using a firewall (or whatever), you’re pretty much screwed either way.
“if you don’t run a firewall you’re dead”, I hope by firewall you mean NAT router. The people that need software firewalls the most are the same people that just click yes when the firewall pops up and asks “would you like to let..”. The people that can correctly configure a firewall are many of the same people that don’t really need them. On the topic of NetBIOS on 98, you can just remove client for Microsoft Networks and dissable NETBIOS on 98. After that you should be able to run a netstat -a and get no listenting connections. I run NAT on a Cisco router with SPI and various different access lists.
the article says there are unfixed holes in e.g debian?!? and that linux uses a long time to patch, well the latter is untrue in comparisson to windows, so that made me laugh, but the first? is it true?
Once distros start using this (along with other techniques of course!), I can see Linux security really starting to outshine that of Windows. They both seem neck and neck these days. But then again, the various new Windows security technologies (like the ones in XP SP2 and Longhorn) could easilly bring Windows ahead. Either way, I’m not complaining, as it’s going to bennefit everybody.
why don’t you google it to find out.
Your argument is old.
CERT® Incident Note IN-2001-06
The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.
Verification of Downloaded Software
Release Date: June 8, 2001
The CERT/CC has received reports and inquiries regarding the integrity of downloaded software.
Background
When downloading software from online repositories, it is important to consider the possibility that the site has been compromised. One of the threats that users face is that intruders could include malicious code in the software packages distributed by those sites. This code could take the form of Trojan horse programs or backdoors.
There are precautions that users can take when downloading software. There are also ways that software publishers and distributors can provide verification of the authenticity of their software.
Users
We strongly encourage users to verify cryptographic signatures (e.g. PGP) of all downloaded software. Cryptographic signatures provide reasonable assurance that the files have not been modified either on the server or in transit. They also allow for verification of the signer’s identity.
In situations where cryptographic signatures are not provided but some other form of checksum (e.g. MD5 hash) has been included, we encourage users to verify the software against these checksums. Although checksums alone provide no information about when the checksum was generated or who generated it, they do provide some evidence that the files have not been modified. However, it is possible that an intruder could have replaced both the software and checksums. Therefore, when possible, we recommend that users compare the checksums provided by multiple sources, such as mirror sites.
If no signatures or checksums are provided, we recommend that users perform a thorough examination of all downloaded source code before compilation and installation. In the case of binaries where examination is difficult or impossible, users may wish to perform offline testing before installing downloaded binaries into production environments.
Software Publishers & Distributors
We encourage anyone publishing or distributing software to use cryptographic signatures and checksums. Publishers and distributors should generate the signatures and checksums on a non-public machine to reduce the risk of compromised private keys.
As to securing a Linux distro (desktop or server), I warmly recommend Bastille. It is quite easy even for newbies, it helps to close unnecessary services and harden the rest of the system. It also helps to get a good firewall running, and besides of everything else, and by explaining each step carefully, it also offers a very good in-depth guide to security. And all for free, and in easy to understand manner.
Something like SE Linux may be even better for security but it also needs much more work. Too bad that Bastille doesn’t work very well with many distros though.
I’ve heard that the next MS Win XP service pack might offer some centralized security tool to harden the system. Maybe that could offer something similar to Bastille (or other such Linux tools)?
Anyway, there’s a good reason why security conscious experts usually choose a Unix style OS like Linux, BSD, Solaris (or even Mac OS X) etc. instead of MS Windows. Basically the Unix style to do things is just simply much, much better from security point of view than any MS Windows has achieved so far.
There will always be huge virus outbreaks on Windows as long as MS continues to strip all of the useful security features out of its “home” editions. All users you create in the beginning at first startup and later through the accounts box are automatically administrators. This solves some problems of permissions hassles but none of the others. There is no way to make users Power users w/o using the registry in XP Home. And, the permissions system in XP Home is absolutely pitiful. It was what drove me to Linux, actually. I was very excited when XP came out and then when I found that you could only get the good security features (IMHO the most useful feature of the XP release) by buying the $300 Pro edition.
why don’t you google it to find out.
Actually, the question was rhetorical. What the hell does Joe Sixpack know about md5 signatures? You’re talking about people who double click on anything that promises them nude pics of Jennifer Lopez.
New computer users are very clueless when it comes to security of their computers. They are also too trusting. So how does a new computer user become educated about security? One step might be software with better interactivity with the user. For example, ZoneAlarm pops up alerts that ask you a question, but the question usually has some very specific and non-informative information. Will a new user know that the Print Spooler does not need acces to the internet? Will the new user know to say NO when some computer at 001.001.001.001 tries to access the user’s computer? Or should the new user allow Generic Host to access the internet? When software is interacting with the user, it should provide clear, precise, and informative information. May be then the new computer user will be able to learn and understand what to do.
Instead of having software designers think like a three year old why not design better communications into the software.
A comment about MD5s and GPGs. Is there some way the software installer could check those signatures automatically? The signatures could have the same filename but different extension that way the installer program would download both then check the software before installing. You will still have to worry about bad people doing their own ftp servers and supplying software but the mainstream sites should be ok to check automatically.
My usual argument:
Try this. connect three PCs to the internet, default install.. no patches. One is Windows XP, one is Linux (pick a flavor), and the last is Mac OS X.
Now, get a stopwatch and tell me which PC gets infected the fastest and then try to brute force crack the other two.
Which one survives without surrendering a root/admin login?
The answer may surprise you.. (hint: it sure isn’t Windows!)
if Linux scales to the popularity of Windows right now on the desktop, the fact that it requires root permission to do damage will not help much at all.
the reason: (ignorant) users are the problem! they’re the ones that will install everything just to get the installation process over with, the ones who don’t care about patching/updating, the ones that will happily enter the root password to any prompt they can see (especially if the dialog box/request looks authentic enough).
the solution is to make Linux foolproof. I don’t think Linux is foolproof right now. Linux appears to be more secure because its current user base is more aware of security than the majority of Windows’ user base.
57 days for the average security patch on Debian stable? Um… gee, not in my experience. More like 12 hours or so. If this is including programs that are not patched by their upstream providers, that says nothing about the distros.
Furthermore, you just KNOW that they included every single Debian package. All 16 FTP servers, etc. Microsoft has about .5% the software that Debian stable has.
The fact of the matter is, some programs have massive historical insecurity problems and the distro can do nothing about it. BIND, WuFTP… come on.
There is a damn good reason security software does not educate the user, they want to use scare tactics to get them to upgrading to the non-free versions of the software.
Some kiddie scans past a port that was used by a trojan 4 years ogo and most firewalls are all up in arms with “Someone is trying to HACK your computer, you are getting hacked!, We stopped the Hack attack. They almost stole your identity!”
I hate most security software because I have to put up with peoples questions after they read this shit. The only windows firewall I liked was Tiny personal firewal (free).
It doesn’t matter if you use linux or windows, if you don’t run a firewall you’re dead.
I think that goes without saying, although it won’t help much in the case of viruses or trojans. But I agree, a firewall is now practically a prerequisite.
On the other hand it’s easier to use a firewall like sygate on windows than something like iptables on linux (which was meant for servers anyway, not desktop use).
Well, really the easiest (and in many cases the safest) thing to do is to buy a hardware firewall. But as for using iptables, you do know that there are a number of front-ends for Linux? Personally, I like firestarter, and find it quite user-friendly.
http://firestarter.sourceforge.net
However, I’d kindly ask you not to start a “Linux is/isn’t ready for the desktop” flamewar.
Re: the article, it’s a very professionnal and overall unbiased report. It’s also a very…prudent one. Forrester understands that Linux is here to stay and therefore refuses to lean one way or the other.
“Actually, the question was rhetorical. What the hell does Joe Sixpack know about md5 signatures? You’re talking about people who double click on anything that promises them nude pics of Jennifer Lopez.”
Right. And there are easy solutions for that: as default, don’t allow people to execute .exe (or similair .scr, or ELFs) files from their email program. However, IMO that’s not mandatory for a distribution as Debian; i welcome it for the newbie-friendly distributions and i welcome the feature in e-mail programs.
Have you been enlightened about the fact APT _has_ support for GPG? And that it’ll be mandatory in Debian? Do you really think i am checking all these signatures out myself? How about OpenBSD and the Ports collection? Sure, we all check that out ourselves…
PS: it is /etc/apt/sources.list not /etc/sources.list
“the solution is to make Linux foolproof.”
I agree, but in theory i think it is impossible to 100%.
“I don’t think Linux is foolproof right now”
I don’t think foolproof is a proposition, is it? However if you’d like to use it as proposition i welcome that form of bifurcation though i also suggest you provide various arguments in detail if you’d wish to walk such path.
“Linux appears to be more secure because its current user base is more aware of security than the majority of Windows’ user base.”
That implies “Linux” is not as secure than it seems. Can you proof that?
I’d put it like this: (Internet) _society_ is less secure because of a mono-culture of MS Windows and MS Outlook. We need more diversity.
Ofcourse i’d love to see that diversity in the form of FLOSS, that’s no secret. But in this point, any more diversity from proprietary OSes on the desktop i welcome as well. But… there are huge problems in that area.
Unfixed:
Severity: High
Date Reported: September 10, 2003
Estimated Number of Vulnerable Machines: 300 Million*
Severity: High
Date Reported: September 10, 2003
Estimated Number of Vulnerable Machines: 300 Million*
Severity: Low
Date Reported: October 7, 2003
Estimated Number of Vulnerable Machines: 91 Million*
Severity: High
Date Reported: October 8, 2003
Estimated Number of Vulnerable Machines: 248 Million*
Severity: Medium
Date Reported: November 17, 2003
Estimated Number of Vulnerable Machines: 300 Million*
Severity: Medium
Date Reported: November 21, 2003
Estimated Number of Vulnerable Machines: 196 Million*
Some of these are about half a year old!
Details here: http://www.eeye.com/html/Research/Upcoming/index.html
That’s pretty odd, why no one exploiting them?
Howabout oops in Linuxkernel.. check google forums for it…
That’s some stable stuff you got there *LOL*
Dear mr Anonymous using Chello in Sweden,
you “state” a vulnerability which is fixed i state vulnerabilities which aren’t fixed.
Morever, wether a bug is widely exploited or not is a different compare than wether one is fixed or not.
Apparantly, Microsoft’s manner is to release every month fixes to vulnerabilities which are known and exploited by a large group of people while it doesn’t care when vulnerabilities are only known to a small group of ethical people (who btw provide enough details to make a “0-day”).
All in all, this seems to be a reasonably unbiased review of security updates. I’m concerned that it may not a fair comparison however as your average (eg) Debian install could have many many many more packaged installed than Win (XP or whatever).
This could have massive effects on these kinds of data e.g., gnome vulnerabilities may not effect somebody who only uses blackbox so hasn’t installed gnome…
Morever, wether a bug is widely exploited or not is a different compare than wether one is fixed or not.
Apparantly, Microsoft’s manner is to release every month fixes to vulnerabilities which are known and exploited by a large group of people while it doesn’t care when vulnerabilities are only known to a small group of ethical people (who btw provide enough details to make a “0-day”).
How would you know what bugs is available in Linux? How sure can you be? It’s open source, someone might exploit a bug without telling anyone and whether it gets fixed or not is luck. I mean MS have paid people to SOLVE this, you depend on someone saying “I do care and what to spend free time” as most often in Linux world.
Besides, I think the problem resides to that Linux, like Windows, are very unsecure and need to be backed up by something serious such as OpenBSD or similar.
How would you know what bugs is available in Linux? etc, well no bug can be known, same as with MS, but when a site or to have been hacked then one know,this is the case and will always be, however many bugs both in MS and linux are fixed before it is a hole, that is e.g developers in debian find bugs all the time most buffer overflows, since they do work on the code on the package they are the maintainer of, this fix is then sendt back to the “software” maker, this bug is mostly hidden untill the software maker have a patch also. Open means me and you, we could be as good as a MS guy, and there are soooo many more of oss, that`s why open is better. And hackers have access to code so easier to find holes “faster” but as more and more are using linux, these “open holes” have been tighten. As you can se with some software in linux witch had many holes one time, don`t have or not many now.
Kernel have undergone some major development, and all that is undergoing so much work will have bugs untill stable that`s why bsd “has a better kernel” not so many fetures in it, it`s like linux in terms of Hw support ( 5 years ago) Leaving for a vacation or I would have wrote a paper on this
Darius wroye on 2004-03-31
“…rather than trying to get a virus on a user’s system, why not build one right into the program’s source code, recompile it, and PRESTO – instant gratification once the app is installed.”
Someone tried that a few months ago with the kernel. It didn’t
work.