RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb)
Ford said the difficulty with comparing operating systems is that it's often an apples and oranges comparison, and that "raw vulnerability counts really don't give you a good picture," although they can't be discounted entirely. Besides, argued Ford, even if Linux has more overall vulnerabilities, these vulnerabilities have traditionally been less severe than those affecting Windows. He defined severity as consequence plus ease of exploitation. "Every time Windows gets a vulnerability, someone immediately writes a rootkit or a worm," said Ford. Linux, in contrast, has fewer critical issues, he added."
Posted Apr 10, 2008 17:51 UTC (Thu)
by rmunn (guest, #40618)
[Link] (13 responses)
"Every time Windows gets a vulnerability, someone immediately writes a rootkit or a worm," said Ford. Perhaps, but that's just a consequence of popularity. Were the popularity numbers reversed, with Linux at 90% of the market and Windows at 10% (making up numbers out of thin air, of course, for simplicity's sake), then the black hats would immediately jump on Linux vulnerabilities, while Windows holes would remain unexploited for longer. It's possible that Ford was being badly quoted here, and that the "ease of exploitation" he was talking about was how easy it is to turn a remote hole into a full-fledged takeover of the administrator account. There, Windows (pre-Vista) suffers from the "run as a privileged user all the time" problem -- sure, you can create limited-access accounts in XP, but it's not the default. Whereas in Linux, it is the default. I've heard that Vista attempts to fix this, so that you have to type in your password to gain admin privileges even temporarily, but I have no personal experience with Vista so I don't know how and/or whether this can be subverted by a clever exploit writer. At any rate, the number of exploits written is purely tied to popularity. While that number can be used to judge which systems are more urgent to patch RIGHT NOW, it would be a mistake to use that number to judge which systems are inherently more vulnerable.
Posted Apr 10, 2008 18:20 UTC (Thu)
by danielpf (guest, #4723)
[Link]
Posted Apr 10, 2008 18:23 UTC (Thu)
by tzafrir (subscriber, #11501)
[Link] (2 responses)
Posted Apr 11, 2008 2:00 UTC (Fri)
by midg3t (guest, #30998)
[Link] (1 responses)
This is an often overlooked part of Linux security - having a central repository from which to automatically get security updates for all applications. There's no technical reason why third-party apps can't be made available through the repository system, too.
Posted Apr 11, 2008 3:17 UTC (Fri)
by nevyn (guest, #33129)
[Link]
Posted Apr 10, 2008 18:38 UTC (Thu)
by Requiem (guest, #51519)
[Link] (1 responses)
Posted Apr 10, 2008 22:49 UTC (Thu)
by drag (guest, #31333)
[Link]
Posted Apr 10, 2008 20:24 UTC (Thu)
by dmarti (subscriber, #11625)
[Link] (2 responses)
Posted Apr 12, 2008 16:07 UTC (Sat)
by Richard_J_Neill (subscriber, #23093)
[Link] (1 responses)
Posted Apr 14, 2008 22:44 UTC (Mon)
by phiggins (subscriber, #5605)
[Link]
Posted Apr 10, 2008 21:59 UTC (Thu)
by sbergman27 (guest, #10767)
[Link] (1 responses)
Posted Apr 13, 2008 3:08 UTC (Sun)
by rmunn (guest, #40618)
[Link]
If Microsoft turned into a pumpkin at midnight tonight, there is not a chance that *any* one OS would obtain such a level of dominance and generate another such monoculture. Not Linux. Not Apple. Not anyone. I think I disagree mildly with you here. Commercial software developers love the current monoculture, because it means they can focus most of their effort on a single OS instead of going the more difficult route of writing cross-platform software. So even if MS went belly-up tonight, there'd still be pressure on the OS market to gravitate towards a small set of OS'es, or maybe even just one OS, as dominant players in the market. The other OS'es would suffer the fate of the Amiga, BeOS, etc. and slowly die for lack of software. That's assuming, of course, that commercial software continues to play a big role in people's decisions about what OS to use. But much as I love the open-source world, I don't see commercial software going away anytime soon. Still, you may well be right that no new monoculture would develop -- but I don't think that invalidates the point I was trying to make, which is that the raw numbers of "vulnerabilities being exploited" are skewed by the current monoculture. (Or rather, near-monoculture). Consider: if you were a black hat and discovered, at the same time, a remote root-access exploit for Windows and one for the Linux kernel (so that it would work on just about any distribution), but it would take you about a day's work to write each exploit, which would you write first? I was not trying to say "Oh, the only reason Windows exploits are so prevalent is because Windows is popular, and the weakness of Windows security has nothing to do with it." I think some people who responded to my comment thought that's what I was saying. No -- the weakness of the Windows security model does have a great deal to do with how many exploits target Windows. What I was trying to get across was that the current popularity numbers also play a role in how many exploits get written targeting one OS over another; and therefore with the current near-monoculture, raw exploit counts are not very useful as a gauge of security. Re-reading Ford's comment, I think his "ease of exploitation" line was indeed talking more about how easy it is to break into Administrator level once an entry point has been found -- so my "that's just based on popularity" line may have been wrong. But he did say that "raw vulnerability counts really don't give you a good picture," so I think I've just repeated what Ford was saying, only I said quite a bit less with a lot more words.
Posted Apr 10, 2008 22:48 UTC (Thu)
by man_ls (guest, #15091)
[Link] (1 responses)
Just compare Windows malware with the number of worms and trojans attacking Linux servers. Or the number of symbian exploits in the wild. Or even Solaris attacks in its days of glory. There is just no contest with the the malware-of-the-month pest and the resulting Windows botnets.
Posted Apr 11, 2008 6:55 UTC (Fri)
by Requiem (guest, #51519)
[Link]
RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb)
RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb)
"Perhaps, but that's just a consequence of popularity."
This is the traditional easy excuse, but given without justification.
Surely the quality of the code *must* play a role, as well as the literacy of the users. So
closer to reality, a combination of factors determines the overall vulnerability of a system.
RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb)
The whole article is made of presenting the Linux argument first and then the
Windows argument to counter that later.
The number of exploits is also closely tied to the efficiency of patching the issues.
Many copies of Windows are unpatched due to them being illegal. They also typically
have much more third-party software that does not get updated through the standard
system update mechanism.
RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb)
RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb)
There aren't any other reasons either, an obvious example would be adobe's yum repo. for
flash/acroread.
Well unless you count that people are used to terrible quality in the entire experience, from
their non-free software.
RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb)
Always look at methodology, in this case Linux vulns and Windows vulns are counted
differently.
Vulnerabilities are typically found in Linux through code audit, so whether or not the
vulnerability allows for an actual exploit is theoretical. A higher percentage of all the
vulnerabilities are found as well.
Windows has less in the way of theoretical exploits, since the typical way to find one is to
implement it, and more unknown active exploits, because there are always more bad guys looking
for vulnerabilities than good.
Also keep in mind that windows being popular gets the security researchers more interested in
keeping it locked down as well. If Linux becomes dominant, it gets hold of more of the good
guys too.
RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb)
Also Microsoft will silently fix potential exploits without disclosing it.
A few times they disavowed it, then later on they would admit to it. More then one.
The theory is that the first thing that happens when Microsoft publishes a patch or
information people take that and write a exploit to attack unpatched systems. So by being
secretive about fixes they are actually doing people a favor.
Also open source projects will often release patches for problems that are not exploitable,
but they _could_ be exploitable if a bunch of other bad things happen. That is most problems
that open source projects release as problems are not exploitable. Microsoft will not admit to
those or fixing those.
And people have proof of this sort of behavior. People have examined patches to Microsoft OSes
and have reverse engineered them to find out what exactly they are doing and what systems they
are patching. One black hat found at least 7 different fixes in a patch that only had one
publicly announced fix.
Also not all of Microsoft's software gets the same amount of treatment. There are many bug
fixes in Windows XP and such that don't make their way into Windows XP POS (point of sale).
AND on top of this Distributions ship with much much much more software then what is provided
by Microsoft.
If you want to have a vulnerability vs vulnerability comparison you will have to sit down and
go through them one by one and examine things carefully.
Granularity of popularity
There's also the problem of popularity at the individual package level.
If all the Linux admins were diligent about removing unused software, you reduce the effective
exposure of real-world Linux systems below the vendor vulnerability counts, because only
vulnerabilities in the base OS load affect all users, and vulnerabilities in stuff that's not
installed affect only those users who really needed that software enough to install it or
leave it installed. (How many production servers have you seen running X and portmap?)
Of course, not all Linux admins are willing to click "uninstall" all over the place, and the
modern IT media doesn't advocate strongly enough for a culture of aggressive software removal.
Granularity of popularity
I'm not convinced by this. Of course you shouldn't leave services running if you don't need
them, but you don't have to uninstall the binary. (And yes, our production server does run
portmap - it tends to be rather useful when the fileserver is NFS!)
Granularity of popularity
If one of those binaries is setuid root, then you'll surely wish you had uninstalled it after
someone exploits it. There are other reasons to not have unnecessary programs installed, such
as a compiler.
RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb)
"""
Were the popularity numbers reversed, with Linux at 90% of the market and Windows at 10%
(making up numbers out of thin air, of course, for simplicity's sake), then the black hats
would immediately jump on Linux vulnerabilities
"""
This often voiced view is supremely irrelevant, since the level of dominance which MS holds on
the desktop is clearly a pathological condition. If Microsoft turned into a pumpkin at
midnight tonight, there is not a chance that *any* one OS would obtain such a level of
dominance and generate another such monoculture. Not Linux. Not Apple. Not anyone.
"If the situation were reversed" is a fairy tale, and has no bearing on reality.
Microsoft's monoculture is both their goose that lays the golden eggs... and their albatross.
But if their freakishly large bean stalk were chopped down tomorrow, or died more slowly of
root rot, no other would spring up in its place. That particular bean stalk was nurtured in a
different time, before the internet, when such things were still possible.
And in the absence of the gargantuan vine, and its associated monoculture, no crackers would
then see Linux, or *BSD, or Mac OS, or Solaris, or anything else as the obvious platform to
target.
And, at least in a relative sense, we could all live happily ever after.
RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb)
RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb)
Perhaps, but that's just a consequence of popularity.
Another counterpoint to this sentence: in the spaces where Windows is not dominant we don't see such an abundance of non-Windows exploits. OK, Apache is the exception maybe, but even when websites get defaced there is little else harm done.
RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb)
Most smart phone malware targets Symbian actually. At least it did a year ago.