Linux vs. Windows Viruses]

Subject: [bytesforall_readers] Linux vs. Windows Viruses
Date: 11 Oct 2003 14:01:49 +0530
From: Sunil Abraham <sunil@mahiti.org>
To: Bytesforall Readers <bytesforall_readers@yahoogroups.com>

http://theregister.co.uk/content/56/33226.html

Opinion To mess up a Linux box, you need to work at it; to mess up your
Windows box, you just need to work on it, writes SecurityFocus columnist
Scott Granneman.

We've all heard it many times when a new Microsoft virus comes out. In
fact, I've heard it a couple of times this week already. Someone on a
mailing list or discussion forum complains about the latest in a long
line of Microsoft email viruses or worms and recommends others consider
Mac OS X or Linux as a somewhat safer computing platform. In response,
another person named, oh, let's call him "Bill," says, basically, "How
ridiculous! The only reason Microsoft software is the target of so many
viruses is because it is so widely used! Why, if Linux or Mac OS X was
as popular as Windows, there would be just as many viruses written for
those platforms!"

Of course, it's not just "regular folks" on mailing lists who share this
opinion. Businesspeople have expressed similar attitudes ... including
ones who work for anti-virus companies. Jack Clarke, European product
manager at McAfee, said, "So we will be seeing more Linux viruses as the
OS becomes more common and popular."

Mr. Clarke is wrong.

Sure, there are Linux viruses. But let's compare the numbers. According
to Dr. Nic Peeling and Dr Julian Satchell's Analysis of the Impact of
Open Source Software (note: the link is to a 135 kb PDF file):

"There are about 60,000 viruses known for Windows, 40 or so for the
Macintosh, about 5 for commercial Unix versions, and perhaps 40 for
Linux. Most of the Windows viruses are not important, but many hundreds
have caused widespread damage. Two or three of the Macintosh viruses
were widespread enough to be of importance. None of the Unix or Linux
viruses became widespread - most were confined to the laboratory."

So there are far fewer viruses for Mac OS X and Linux. It's true that
those two operating systems do not have monopoly numbers, though in some
industries they have substantial numbers of users. But even if Linux
becomes the dominant desktop computing platform, and Mac OS X continues
its growth in businesses and homes, these Unix-based OS's will never
experience all of the problems we're seeing now with email-borne viruses
and worms in the Microsoft world. Why?

Why are Linux and Mac OS X safer?

First, look at the two factors that cause email viruses and worms to
propagate: social engineering, and poorly designed software. Social
engineering is the art of conning someone into doing something they
shouldn't do, or revealing something that should be kept secret. Virus
writers use social engineering to convince people to do stupid things,
like open attachments that carry viruses and worms. Poorly designed
software makes it easier for social engineering to take place, but such
software can also subvert the efforts of a knowledgable, security-minded
individual or organization. Together, the two factors can turn a single
virus incident into a widespread disaster.

Let's look further at social engineering. Windows software is either
executable or not, depending on the file extension. So if a file ends
with ".exe" or ".scr", it can be run as a program (yes, of course, if
you change a text file's extension from ".txt" to ".exe", nothing will
happen, because it's not magically an executable; I'm talking about real
executable programs). It's easy to run executables in the Windows world,
and users who get an email with a subject line like "Check out this
wicked screensaver!" and an attachment, too often click on it without
thinking first, and bang! we're off to the races and a new worm has
taken over their systems.

Even worse, Microsoft's email software is able to infect a user's
computer when they do something as innocuous as read an email! Don't
believe me? Take a look at Microsoft Security Bulletins MS99-032,
MS00-043, MS01-015, MS01-020, MS02-068, or MS03-023, for instance.
Notice that's at least one for the last five years. And though
Microsoft's latest versions of Outlook block most executable attachments
by default, it's still possible to override those protections.

This sort of social engineering, so easy to accomplish in Windows,
requires far more steps and far greater effort on the part of the Linux
user. Instead of just reading an email (... just reading an email?!?), a
Linux user would have to read the email, save the attachment, give the
attachment executable permissions, and then run the executable. Even as
less sophisticated users begin to migrate to Linux, they may not
understand exactly why they can't just execute attachments, but they
will still have to go through the steps. As Martha Stewart would say,
this is a good thing. Further, due to the strong community around Linux,
new users will receive education and encouragement in areas such as
email security that are currently lacking in the Windows world, which
should help to alleviate any concerns on the part of newbies.

Further, due to the strong separation between normal users and the
privileged root user, our Linux user would have to be running as root to
really do any damage to the system. He could damage his /home directory,
but that's about it. So the above steps now become the following: read,
save, become root, give executable permissions, run. The more steps, the
less likely a virus infection becomes, and certainly the less likely a
catastrophically spreading virus becomes. And since Linux users are
taught from the get-go to never run as root, and since Mac OS X doesn't
even allow users to use the root account unless they first enable the
option, it's obvious the likelihood of email-driven viruses and worms
lessens on those platforms.

Unfortunately, running as root (or Administrator) is common in the
Windows world. In fact, Microsoft is still engaging in this risky
behavior. Windows XP, supposed Microsoft's most secure desktop operating
system, automatically makes the first named user of the system an
Administrator, with the power to do anything he wants to the computer.
The reasons for this decision boggle the mind. With all the lost money
and productivity over the last decade caused by countless
Microsoft-borne viruses and worms, you'd think the company could have
changed its procedures in this area, but no.

Even if the OS has been set up correctly, with an Administrator account
and a non-privileged user account, things are still not copasetic. On a
Windows system, programs installed by a non-Administrative user can
still add DLLs and other system files that can be run at a level of
permission that damages the system itself. Even worse, the collection of
files on a Windows system - the operating system, the applications, and
the user data - can't be kept apart from each other. Things are
intermingled to a degree that makes it unlikely that they will ever be
satisfactorily sorted out in any sensibly secure fashion.

The final reason why social engineering is easier in the Windows world
is also an illustration of the dangers inherent in any monoculture,
whether biological or technological. In the same way that genetic
diversity in a population of living creatures is desirable because it
reduces the likelihood that an illness - like a virus - will utterly
wipe out every animal or plant, diversity in computing environments
helps to protect the users of those devices.

Linux runs on many architectures, not just Intel, and there are many
versions of Linux, many packaging systems, and many shells. But most
obvious to the end user, Linux mail clients and address books are far
from standardized. KMail, Mozilla Mail, Evolution, pine, mutt, emacs ...
the list goes on. It's simply not like the Windows world, in which
Microsoft's email programs - Outlook and Outlook Express - dominate. In
the Windows world, a virus writer knows how the monoculture operates, so
he can target his virus, secure in the knowledge that millions of
systems have the same vulnerability. A virus targeted to a specific
vulnerability in Evolution, on the other hand, might affect some people,
but not everyone using Linux. The growth of the Microsoft monoculture in
computing is a dangerous thing for users of Microsoft products, but also
for all computing users, who suffer the consequences of disasters in
that environment, such as wasted network resources, dangers to national
security, and lost productivity (note: the link is to a 880 kb PDF
file).

Now that we've looked at the social engineering side of things, let's
examine software design for reasons why Linux (and Mac OS X) is better
designed than Microsoft when it comes to email security. Microsoft
continually links together its software, often not for technical
reasons, but instead for marketing or business development reasons (see
the previous link for corroboration). For instance, Outlook Express and
Outlook both use the consistently-buggy Internet Explorer to view
HTML-based emails. As a result, a hole in IE affects OE. Linux email
readers don't indulge in such behavior, with two exceptions: Mozilla
Mail uses the Gecko engine that powers Mozilla to view HTML-based email,
while KMail relies on the KHTML engine that the Konqueror browser uses.
Fortunately, both Mozilla and the KDE Project have excellent records
when it comes to security.

Further, the email programs themselves are designed to act in a more
secure manner. The default behavior of the email program I prefer -
KMail - is to not load external references in messages, such as pictures
and Web bugs, and to not display HTML. When an HTML-based email shows up
in my Inbox, I see only the HTML code, and a message appears at the top
of the email: "This is an HTML message. For security reasons, only the
raw HTML code is shown. If you trust the sender of this message then you
can activate formatted HTML display for this message by clicking here."
But even after I activate the HTML, certain dynamic elements that can be
introduced in an HTML-based email - like Java, Javascript, plugins and
even the "refresh" META tag - do not display, and cannot even be enabled
in KMail.

Finally, if there is an attachment, it does not automatically run ...
ever. Instead, I have to click it, and when I do, I get a dialog box
offering me three options: "Save As ..." (the default), "Open With ...",
and "Cancel". If I have mapped a file type to a specific program - for
instance, I have associated PDFs with the PS/PDF Viewer, then "Open With
..." instead says "Open", and if I choose "Open", then the file opens in
the PS/PDF Viewer. However, in either case, the dialog box always
contains a warning advising the user that attachments can compromise
security. This is all good, very good.

For all these reasons, even if a few individuals got infected with a
virus due to extremely foolish behavior, it's unlikely the virus would
spread to other machines. Unlike Sobig.F, which is the fastest spreading
virus ever, a Linux-based Virus would fizzle out quickly. Windows is an
inviting petri dish for viruses and worms, while Linux is a hostile
environment for such nasties.

Some caveats

There is one Linux distribution that is ignoring many years of common
sense, good design, and an awareness of secure operating environments in
favor of a Microsoft-like deprecation of security before the nebulous
term "ease of use": Lindows. By default, Lindows runs the user of the
system as root (and it even encourages the user to forgo setting up a
root password during installation by labeling it as "optional"!), an
unbelievably shortsighted decision that results in a Linux box with the
same security as a Windows 9.x machine.

If you go to the Lindows Web site, they state that it is possible to add
other, non-privileged users, but nowhere in the operating system do they
advocate adding these other users. Yet they claim their distribution of
Linux is secure! In an effort to emulate Microsoft and make things
"easy", they have compromised the security of their users, an
unforgivable action. No one in the field of security, or even IT, can
recommend Lindows while such a blatant disregard for security is the
norm for the OS.

Yet some Linux machines definitely need anti-virus software. Samba or
NFS servers, for instance, may store documents in undocumented,
vulnerable Microsoft formats, such as Word and Excel, that contain and
propagate viruses. Linux mail servers should run AV software in order to
neutralize viruses before they show up in the mailboxes of Outlook and
Outlook Express users.

Security is, as we all know, a process, not a product. So when you use
Linux, you're not using a perfectly safe OS. There is no such thing. But
Linux and Mac OS X establish a more secure footing than Microsoft
Windows, one that makes it far harder for viruses to take hold in the
first place, but if one does take hold, harder to damage the system, but
if one succeeds in damaging the system, harder to spread to other
machines and repeat the process. When it comes to email-borne viruses
and worms, Linux may not be completely immune - after all, nothing is
immune to human gullibility and stupidity - but it is much more
resistant. To mess up a Linux box, you need to work at it; to mess up
your Windows box, you just need to work on it. I know which one I'll
trust. How about you?

Copyright © 2003,

Scott Granneman is a senior consultant for Bryan Consulting Inc. in St.
Louis. He specializes in Internet Services and developing Web
applications for corporate, educational, and institutional clients.

--
Sunil Abraham, sunil@mahiti.org http://www.mahiti.org
MAHITI Infotech Pvt. Ltd.'Reducing the cost and complexity of ICTs'
314/1, 7th Cross, Domlur Bangalore - 560 071 Karnataka, INDIA
Ph/Fax: +91 80 4150580. Mobile: 98455 12611
"If you have an apple and I have an apple and we exchange apples
then you and I will still each have one apple.
But if you have an idea and I have one idea and we exchange these
ideas,then each of us will have two ideas" George B. Shaw

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Buy Ink Cartridges or Refill Kits for your HP, Epson, Canon or Lexmark
Printer at MyInks.com. Free s/h on orders $50 or more to the US & Canada.
http://www.c1tracking.com/l.asp?cid=5511
http://us.click.yahoo.com/mOAaAA/3exGAA/qnsNAA/C7EolB/TM
---------------------------------------------------------------------~->

To unsubscribe from this group, send an email to:
bytesforall_readers-unsubscribe@yahoogroups.com

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

--

Vern Weitzel (Mr.), Webmanager
<weitzel@undp.org.vn> or <webmanager@undp.org.vn>
United Nations Development Programme
address: 25-29 Phan Boi Chau; Ha Noi, Viet Nam
postal address:
UNDP Viet Nam One UN Plaza New York, NY 10017 USA
UNDP Viet Nam Palais des Nations 1211 Geneva Switzerland
UNDP Viet Nam GPO Box 618 Bangkok, 10501 Thailand
tel: +84-4 942-1495 (ext 135) fax: +84-4 942-2267
http://www.undp.org.vn and http://www.un.org.vn
home address: Apartment 504-505, Block A4 Giang Vo
[opposite UN Int. School] tel: +84-4 846-1751
-------------------------------------------------
UNDP is the UN's global development network

To facilitate co-ordination regarding the introduction of OSS SW in Vietnam

Subscribe to OSS:

Subscribe | Unsubscribe