Slashdot Mirror
Viruses and Market Dominance - Myth or Fact?
rocketjam writes "An article at The Register, authored by Scott Granneman of SecurityFocus, examines the conventional wisdom that if Linux or Mac OS X were as popular as Windows, there would be just as many viruses written for those platforms. Mr. Granneman bluntly says this is wrong, then proceeds to detail the fundamental differences between those OS's and Windows which make Windows an easy and inviting target for virus-writers, as opposed to the Unix-based platforms."
You can't infect a normal system executable from a normal user on a normal UNIX-like system which, IIRC, is how most true viruses work on Windows. There are security holes; but then again, there are security holes in all software.
Keep in mind that your losing all your files is a lot different than hosing the entire system. The virus that affected me (say from doing something silly like running an email attachment) does not affect other users of my system. (My wife and kids use my system too. Their data would remain secure.) Finally the *spread* of the virus would be hampered because the virus could only do what *I* can do, so binding arbritary ports, hijacking the web server, infecting critical system library components, is just not possible. The virus may still spread, but it is limited as to the infection vectors available to it.
If that is your definition of a virus, you might as well lump NT crack and the windows 2000 installation CD as Viruses.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
I was skeptical, so I used Google to look up said vulnerability. Huh. Good thing I don't use Windows!
An email client is not a program installer. That is what apt/up2date/whatever, and their various GUI front-ends, are for. Those do set execute permissions, among other important functionality (like handling dependencies) that does not belong in an email client.
Internet Explorer has 31 unpatched vulnerabilities. How does it "come down to the user" to fix those holes when there are no patches available?
MacOS Classic didn't have so much in the way of auto-execute, auto-run etc. stuff- compare that to Windows. MacOS did copy one feature from Windows: auto-running programs on insertion of a CD, for ease of use. MacOS got a well-known worm, one of the 40 or so that have been recorded in Mac history, called the Autostart worm. There was also a way to stop it: turn off auto-start in the Quicktime control panel. And MacOS didn't go around turning it back on for you, either.
Most Mac-capable viruses are exclusively Microsoft software viruses for the simple reason that most are Office macro viruses.
The article author has a point. Leave the OS sitting there like a lump rather than scampering about trying to convince you that it's intelligent and friendly, and you don't get the viruses. Viruses REQUIRE a degree of autonomy from the OS. Even the example of how you could edit login .rc files on Linux take advantage of a degree of autonomy present in the OS, that auto-runs common programs to save you the trouble. If you logged in and manually typed everything in initrc every time, not even a user-space virus could auto-run, even if you'd run it yourself and infected your linux box. It requires the autonomy of an OS that's doing trusted stuff.
Old MacOS has very little of that, and as a result can be incredibly reliable IF you have it in a condition that's not bugladen: too many extensions and microsoft programs that run OS-level support code at all times, and you're hosed.
Even then, the coding culture of old MacOS was to let the user totally run the show. Not so many labor saving devices- not so many vectors for hostile code to work. It's that simple.
The good folks at Red Hat have come up with a cool way to avoid some of the problems of monoculture in GNU/Linux: position independent executables. Addresses of code segments can be randomized at load time by the dynamic linker. The result is that common techniques for writing buffer overflow exploits no longer work, because every executable on every server is different. You can no longer insert code into a buffer whose length is not checked and then override the return address to point to it, because you don't know what return address to use. Worms can't spread if this technique is used.
While this technique still doesn't stop people from exploiting cross-site scripting bugs, it's progress.
Here's an interesting rebuttal. The 1st line is "The single biggest security issue facing Linux users at the moment is the misconception perpetuated by highly vocal advocates that Linux is somehow impenetrable to security-based attacks, and in particular, viruses and other malware."
Vote for Pedro
They are very different beasties and they are handled in very different ways.
A worm is handled by keeping your patches up to date and by NOT RUNNING ANYTHING YOU DON'T NEED.
A virus is handled by NOT RUNNING AS ROOT.
A trojan is handled by EDUCATION.
Microsoft has made the spread of trojans and viruses very easy by automatically running code. Sometimes without the user even knowing that the code has been executed.
A rootkit usually uses an exploit in a running process to install itself. In this fashion, it is similar to a worm. But it does not automatically spread itself to other machines.
Or it could be a hacked version of ls that is executed because someone was dumb enough to have . in their path. In which case it is similar to a trojan.
Different terms to reflect different attacks that are defeated in different ways.
All the patching in the world will not stop a trojan.
The best security on your email program will not matter if you're running a vulnerable version of sendmail.
Only run what you need to run.
Run with the minimum rights necessary.
Don't run unknown code.
Keep your patches current.
Run tripwire or something similar.
Review your logs.