Slashdot Mirror
Viruses and Market Dominance - Myth or Fact?
rocketjam writes "An article at The Register, authored by Scott Granneman of SecurityFocus, examines the conventional wisdom that if Linux or Mac OS X were as popular as Windows, there would be just as many viruses written for those platforms. Mr. Granneman bluntly says this is wrong, then proceeds to detail the fundamental differences between those OS's and Windows which make Windows an easy and inviting target for virus-writers, as opposed to the Unix-based platforms."
A virus is self replicating.
EA David Gardner -"... but the consumers have proven that actually what they want is fun."
You can't infect a normal system executable from a normal user on a normal UNIX-like system which, IIRC, is how most true viruses work on Windows. There are security holes; but then again, there are security holes in all software.
The number of viruses doesn't map directly to "OS is safer." There are lots of factors, like motivation to create malware, and ease of injection that come into play, and ease of injection is an application issue more than it is an OS issue. Small modifications to the most popular mail application on each platform would have more effect (discounting worms) than anything else outside of motivation of malware authors.
.exe to anything else and click on it on a Windows host.
Secondly, the author obviously lacks clue- modern Windows OS' do *not* execute files based on file type, its a combination of reading the first N bytes of the file, and file type. Rename any
If you have to go back 4 years to get security bulletin examples, it's because you don't have sufficient information- there are ~30 unpatched IE vulnerabilites that affect IE and Outlook that are public, and another ~20 that aren't. You don't have to go back to 1999 to find examples of why the platform is seriously hosed.
It's also too bad the author doesn't address rootkits, because it's important to give some overall malware pictures to show that everything isn't rosy on either side of the fence.
*nix is definitely in a better default state, but it's not the OS that makes that possible (heck, NTFS has filesystem attributes that could likely help.) It's too bad someone with a better understanding of the issues didn't write this article, there are too many holes for serious *doze admins to poke in this one to make it worth passing around.
[Addressing exec-shield and worms would have given a really good argument for Linux, for instance.]
Paul
http://www.pauldrobertson.com
For those interested, there's a rebuttal linked from Newsforge which pretty much summarizes a lot of the points made here.
Direct link to the article here.
I do wish I could get a good, clear, Linux-favoring argument on the security level (or any other level for that matter). I really am concerned about personal zealotry and the less I come off as a Penguinoid, the more believable/convincing I would be.
Keep in mind that your losing all your files is a lot different than hosing the entire system. The virus that affected me (say from doing something silly like running an email attachment) does not affect other users of my system. (My wife and kids use my system too. Their data would remain secure.) Finally the *spread* of the virus would be hampered because the virus could only do what *I* can do, so binding arbritary ports, hijacking the web server, infecting critical system library components, is just not possible. The virus may still spread, but it is limited as to the infection vectors available to it.
With both Mac and Linux, there is little or no reason to hate those behind it, and so damage their work. With Windows, this is quite easy.
Motives behind writing a virus have little or nothing to do with "who do I hate today?" and has everything to do with "whos system can I get into today?". This has become alot easier in MS systems because of lack of security in some cases, and their programmers attempting to create more functionality in other cases. But either way, just about every virus writer could give a shit whos system they are infultrating. They would write more viruses for Linux if either A) it existed on only 1 platform, B) more people used it, or C) more stupid people used it.
If that is your definition of a virus, you might as well lump NT crack and the windows 2000 installation CD as Viruses.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
Viruses and worms are closely related, both being code that replicates itself.
Trojans are nasties that pretend to be something else so you'll run them - most of the Gator utilities, etc. are trojans in my book.
I doubt it. Why would Linux go that route rather than doing it like OS X, which is essentially Unix for the "unwashed masses".
I was skeptical, so I used Google to look up said vulnerability. Huh. Good thing I don't use Windows!
a rootkit isn't even marginally similar to the others in that rootkits are ran deliberately by a local assailant. They don't propogate by any means and you are never tricked into running them. They really have nothing to do with this topic.
Sigs are awesome huh?
An email client is not a program installer. That is what apt/up2date/whatever, and their various GUI front-ends, are for. Those do set execute permissions, among other important functionality (like handling dependencies) that does not belong in an email client.
Internet Explorer has 31 unpatched vulnerabilities. How does it "come down to the user" to fix those holes when there are no patches available?
MacOS Classic didn't have so much in the way of auto-execute, auto-run etc. stuff- compare that to Windows. MacOS did copy one feature from Windows: auto-running programs on insertion of a CD, for ease of use. MacOS got a well-known worm, one of the 40 or so that have been recorded in Mac history, called the Autostart worm. There was also a way to stop it: turn off auto-start in the Quicktime control panel. And MacOS didn't go around turning it back on for you, either.
Most Mac-capable viruses are exclusively Microsoft software viruses for the simple reason that most are Office macro viruses.
The article author has a point. Leave the OS sitting there like a lump rather than scampering about trying to convince you that it's intelligent and friendly, and you don't get the viruses. Viruses REQUIRE a degree of autonomy from the OS. Even the example of how you could edit login .rc files on Linux take advantage of a degree of autonomy present in the OS, that auto-runs common programs to save you the trouble. If you logged in and manually typed everything in initrc every time, not even a user-space virus could auto-run, even if you'd run it yourself and infected your linux box. It requires the autonomy of an OS that's doing trusted stuff.
Old MacOS has very little of that, and as a result can be incredibly reliable IF you have it in a condition that's not bugladen: too many extensions and microsoft programs that run OS-level support code at all times, and you're hosed.
Even then, the coding culture of old MacOS was to let the user totally run the show. Not so many labor saving devices- not so many vectors for hostile code to work. It's that simple.
The good folks at Red Hat have come up with a cool way to avoid some of the problems of monoculture in GNU/Linux: position independent executables. Addresses of code segments can be randomized at load time by the dynamic linker. The result is that common techniques for writing buffer overflow exploits no longer work, because every executable on every server is different. You can no longer insert code into a buffer whose length is not checked and then override the return address to point to it, because you don't know what return address to use. Worms can't spread if this technique is used.
While this technique still doesn't stop people from exploiting cross-site scripting bugs, it's progress.
Here's an interesting rebuttal. The 1st line is "The single biggest security issue facing Linux users at the moment is the misconception perpetuated by highly vocal advocates that Linux is somehow impenetrable to security-based attacks, and in particular, viruses and other malware."
Vote for Pedro
They are very different beasties and they are handled in very different ways.
A worm is handled by keeping your patches up to date and by NOT RUNNING ANYTHING YOU DON'T NEED.
A virus is handled by NOT RUNNING AS ROOT.
A trojan is handled by EDUCATION.
Microsoft has made the spread of trojans and viruses very easy by automatically running code. Sometimes without the user even knowing that the code has been executed.
A rootkit usually uses an exploit in a running process to install itself. In this fashion, it is similar to a worm. But it does not automatically spread itself to other machines.
Or it could be a hacked version of ls that is executed because someone was dumb enough to have . in their path. In which case it is similar to a trojan.
Different terms to reflect different attacks that are defeated in different ways.
All the patching in the world will not stop a trojan.
The best security on your email program will not matter if you're running a vulnerable version of sendmail.
Only run what you need to run.
Run with the minimum rights necessary.
Don't run unknown code.
Keep your patches current.
Run tripwire or something similar.
Review your logs.
Enabling root is totally non-trivial.
Applications/Utilities/Net Info Manager:
Security >> Enable Root User
Didn't even have to touch the command line or restart or anything. But for the most part you're right about it not being necessary.
In addition...I like the idea of having a pure System directory. For those of you who don't know, as a programmer you never have to touch the System directory in OS X save kernel extensions.
Hrm. That sounds a little like saying that it's not important for the lay public to know the differences between real (biological) viruses and bacteria--they're both hostile organisms that make us sick, right?
All well and good until you have people with rhinoviruses going to the doctor and demanding antibiotics.
Sure, simplify the details--most people don't need to know every little thing about the mechanisms by which hostile code operates. Still, it is very important for even novice computer users to understand the various ways that their otherwise very vulnerable Windows boxes can be compromised.
~Idarubicin
Actually linus implemented clone() instead. Please learn.
POSIX is an API. When we say "UNIX" we generally refer to the POSIX API. An API's whole point is to abstract the particulars of an implementation. For example, Perl actually implements fork on windows through the use of independent interpreters runing in a threaded environment. Java, also is an API which facilitates things like graphics and asynchronous file access (strangely similar to UNIX IO selection btw).
To say that GNU's Not Unix with a straight face is to miss the point.
Likewise is to differentiate the implementation details of clone v.s. the front-end API "fork". "clone" is only significant because it allows the kernel to have a single entry point to handle process creation; both threading and forking, differentiated only by a memory mapping flag. Is it any less significant that some primitive implementations of POSIX concepts delegate inter-process pipes as physical temporary files?
Granted lack of full POSIX compliance exists in things such as signal delivery to threads. But it's rare to find a fully POSIX complaint OS.
-Michael
Actually, that's not true. Just about every office application MS releases works as a limited user, but Microsoft has a long list of games that do not work, and several Microsoft published games are listed. Age of Mythology, Asheron's Call, and Microsoft Flight Simulator 2002 to name just a few are part of this list. There's even some non-game software in there that Microsoft creates, such as Microsoft Money 2003 and Works Suite 2001/Picture It Publishing 2001.
More Linux distributions are forcing you to create one, or just tell you that you're stupid not to add one. However, in regards to WinXP, I'd go one step further, and say that the user it prompts you to create should be made a limited user by default, and to encourage the use of runas to do system maintainance. Unfortunately, then we run into another problem. People will forget the administrator password.
I used up all my sick days, so I'm calling in dead.
Time to install RH 9.0 Linux with Apache, SQL and development tools and patch to date: 3 hrs. Time to install Windows 2K Server + IIS, MS-SQL Server and IIS and patch up to date. One day minimum and the process of patching isn't so automated (lots of separate downloads).
'nuff said?
Oh and up2date at least uses signatures. The aptget repositories often do not. Btw, I *have* installed quite a lot on Win with very restricted rights What is this administrator or power-user, you only need this if you need to update system binaries or registery keys.
See my journal, I write things there
True, but then Linux is not even an operating system, it's the kernel. The entire operating system is really GNU/Linux (or maybe not). Clear as mud?