Posted by Virus Bulletin on Oct 6, 2003
Pete Sergeant responds to an article by a SecurityFocus columnist, which hints that Linux users really don't need to worry about viruses.
Regarding Linux vs. Windows Viruses:
The single biggest security issue facing Linux users at the moment is the misconception perpetuated by highly vocal advocates that Linux is somehow impenetrable to security-based attacks, and in particular, viruses and other malware.
That SecurityFocus would choose to publish a column designed to perpetuate this myth is a little disappointing, but there you go. What follows is a brief rebuttal of the article.
"None of the Unix or Linux viruses became widespread - most were confined to the laboratory."
Simply untrue. According to F-Secure, the bot-net created by Linux/Slammer reached around 14,000 machines. Compared to the number of infections caused by some Windows worms, this may seem quite small, but this number is by no means trivial. 14,000 machines focused in a DDoS attack against the root name-servers would easily render the net unusable for a majority of Internet users. The reason we have not seen malicious code exploit recent vulnerabilities in other widely-installed open-source applications is pure luck.
"Even worse, Microsoft's email software is able to infect a user's computer when they do something as innocuous as read an email!"
The fact that the author draws attention to this is mildly surprising when he later points out that Mozilla Mail uses Gecko to render HTML email - like all software, Gecko (Mozilla's HTML renderer) has also had its fair share of vulnerabilities which could conceivably be exploited for similar results. Then there were the buffer overflows in mutt, pine and Kmail... Furthermore, the vulnerabilities in Outlook and IE all had patches or work-arounds available for them before exploits for them were included in viruses. The problem here lies with the wetware.
Of course, this doesn't even begin to touch on the whole host of other prevalent open-source projects that have had vulnerabilities, exploitable when a user performs an 'innocuous' action, like the widely installed mpg123, which could be exploited to execute arbitrary code when a user '[did] something as innocuous as' play an mp3.
"Instead of just reading an email (... just reading an email?!?), a Linux user would have to read the email, save the attachment, give the attachment executable permissions, and then run the executable."
It wouldn't be sticking one's neck out too far to suggest that Outlook enables the execution of attachments straight from the mail client due to user-demand. As well noted, software makers aim to give users a hard-work-free environment - to suggest that software developers won't follow suit on Linux is wonderfully disproved by Lindows, as mentioned by the author of the original column.
"Further, due to the strong separation between normal users and the privileged root user, our Linux user would have to be running as root to really do any damage to the system."
This is by far my favourite piece of blindly-repeated propaganda. What's important to users is data. Reinstalling system binaries is as simple as sticking in the CD the system was installed from. Recovering data that hasn't been backed up (and even fewer people make hourly backups than the tiny number of people who actually make nightly backups) is near impossible. The damage caused to your company's reputation when your Apache process starts returning '0wN3D by 1337-H4x0R virII' or viral messages originating from inside your network can be potentially devastating - why do you think the WildList carries a number of anonymous corporate reporters?
"Unfortunately, running as root (or Administrator) is common in the Windows world. In fact, Microsoft is still engaging in this risky behavior."
I can't be the only person who, the first time I installed Linux and had little thought for security, decided I would login as root and stay that way. I can't be the only person who knows dozens of people who have 'sudo' set up to not prompt for a password. And I certainly can't be the only person who reads that, and whose mind turns to sendmail, an exceptionally buggy, insecure and widely-installed UNIX daemon that runs as root.
Wetware is always the weakest link, and both Linux and Windows give wetware enough rope to hang itself. Suggesting that one marginally more 'secure by design' system will stop users from not patching, and not clicking on executables is absurd - propagating the misplaced sense of security many Linux users seem to have is positively criminal.
It's worth mentioning that it doesn't have to be like this. Linux does have an advantage in that it's open-source. However, the security advantages rendered by open-source software are only realized when projects such as OpenBSD use this to their advantage, and perform on-going, pre-emptive security audits of code, and strive for best-practice secure computing. As is all too well demonstrated by Microsoft, as complexity increases, so too does security inevitably become more complicated. By far the best course of action for preventing virus damage is the education of users, not mindless advocacy about how great your operating system is.
Pete Sergeant.
Posted on 06 October 2003 by Virus Bulletin