Linux vs. Windows viruses: a rebuttal

Posted by   Virus Bulletin on   Oct 6, 2003

Pete Sergeant responds to an article by a SecurityFocus columnist, which hints that Linux users really don't need to worry about viruses.

Regarding Linux vs. Windows Viruses:

The single biggest security issue facing Linux users at the moment is the misconception perpetuated by highly vocal advocates that Linux is somehow impenetrable to security-based attacks, and in particular, viruses and other malware.

That SecurityFocus would choose to publish a column designed to perpetuate this myth is a little disappointing, but there you go. What follows is a brief rebuttal of the article.

"None of the Unix or Linux viruses became widespread - most were confined to the laboratory."

Simply untrue. According to F-Secure, the bot-net created by Linux/Slammer reached around 14,000 machines. Compared to the number of infections caused by some Windows worms, this may seem quite small, but this number is by no means trivial. 14,000 machines focused in a DDoS attack against the root name-servers would easily render the net unusable for a majority of Internet users. The reason we have not seen malicious code exploit recent vulnerabilities in other widely-installed open-source applications is pure luck.

"Even worse, Microsoft's email software is able to infect a user's computer when they do something as innocuous as read an email!"

The fact that the author draws attention to this is mildly surprising when he later points out that Mozilla Mail uses Gecko to render HTML email - like all software, Gecko (Mozilla's HTML renderer) has also had its fair share of vulnerabilities which could conceivably be exploited for similar results. Then there were the buffer overflows in mutt, pine and Kmail... Furthermore, the vulnerabilities in Outlook and IE all had patches or work-arounds available for them before exploits for them were included in viruses. The problem here lies with the wetware.

Of course, this doesn't even begin to touch on the whole host of other prevalent open-source projects that have had vulnerabilities, exploitable when a user performs an 'innocuous' action, like the widely installed mpg123, which could be exploited to execute arbitrary code when a user '[did] something as innocuous as' play an mp3.

"Instead of just reading an email (... just reading an email?!?), a Linux user would have to read the email, save the attachment, give the attachment executable permissions, and then run the executable."

It wouldn't be sticking one's neck out too far to suggest that Outlook enables the execution of attachments straight from the mail client due to user-demand. As well noted, software makers aim to give users a hard-work-free environment - to suggest that software developers won't follow suit on Linux is wonderfully disproved by Lindows, as mentioned by the author of the original column.

"Further, due to the strong separation between normal users and the privileged root user, our Linux user would have to be running as root to really do any damage to the system."

This is by far my favourite piece of blindly-repeated propaganda. What's important to users is data. Reinstalling system binaries is as simple as sticking in the CD the system was installed from. Recovering data that hasn't been backed up (and even fewer people make hourly backups than the tiny number of people who actually make nightly backups) is near impossible. The damage caused to your company's reputation when your Apache process starts returning '0wN3D by 1337-H4x0R virII' or viral messages originating from inside your network can be potentially devastating - why do you think the WildList carries a number of anonymous corporate reporters?

"Unfortunately, running as root (or Administrator) is common in the Windows world. In fact, Microsoft is still engaging in this risky behavior."

I can't be the only person who, the first time I installed Linux and had little thought for security, decided I would login as root and stay that way. I can't be the only person who knows dozens of people who have 'sudo' set up to not prompt for a password. And I certainly can't be the only person who reads that, and whose mind turns to sendmail, an exceptionally buggy, insecure and widely-installed UNIX daemon that runs as root.

Wetware is always the weakest link, and both Linux and Windows give wetware enough rope to hang itself. Suggesting that one marginally more 'secure by design' system will stop users from not patching, and not clicking on executables is absurd - propagating the misplaced sense of security many Linux users seem to have is positively criminal.

It's worth mentioning that it doesn't have to be like this. Linux does have an advantage in that it's open-source. However, the security advantages rendered by open-source software are only realized when projects such as OpenBSD use this to their advantage, and perform on-going, pre-emptive security audits of code, and strive for best-practice secure computing. As is all too well demonstrated by Microsoft, as complexity increases, so too does security inevitably become more complicated. By far the best course of action for preventing virus damage is the education of users, not mindless advocacy about how great your operating system is.

Pete Sergeant.

Posted on 06 October 2003 by Virus Bulletin

 Tags

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VBSpam tests to be executed under the AMTSO framework

VB is excited to announce that, starting from the Q3 test, all VBSpam tests of email security products will be executed under the AMTSO framework.

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.