The Myth of the Secure Operating System
"Forget about the OS," Laura DiDio, senior analyst at the Yankee Group, told TechNewsWorld. "Don't even argue those merits. Every piece of software that is connected is potentially vulnerable and at risk."
Apr 3, 2004 2:00 AM PT
The old adage about there being "safety in numbers" no longer applies, at least not in the world of IT security. Microsoft platforms are not only the most widespread, but also the most attacked. About that much, most -- but not all -- commentators agree.
The mi2g Intelligence Unit, a UK-based security consultancy, issued three bulletins recently. One suggested that direct attacks -- as opposed to worms or viruses -- on Linux-based servers were on the rise and had for the first time outstripped those directed at Microsoft platforms. Microsoft systems were still found to be the major targets of malware.
An equally interesting claim came next: After examining more than 17,000 attacks in January and again in February, mi2g Intelligence Unit concluded that when it comes to direct attacks, "the world's safest and most secure online server operating system is proving to be the Open Source family of BSD (Berkley Software Distribution) and the Mac OS X based on Darwin."
Several questions suggest themselves immediately: Is it true, how do you know, and can any such judgment even be meaningful?
The third question must be answered before tackling the others, and Laura DiDio, senior analyst at the Yankee Group, suggested that the answer is no. "Overall," she said, "no operating system or piece of software is going to be inherently more secure than another."
She said she agrees, however, with the parts of mi2g's reports that attribute greater Linux insecurity to administration woes. They cite a widespread lack of "training and knowledge on how to keep that environment secure when running vulnerable third-party applications."
"You could have a very fortress-like system," DiDio told TechNewsWorld, "but all that security goes to hell in a handbasket if it is not administered correctly. The human element cannot be discounted. I would say that's 51 percent of the equation to 49 percent inherent security."
Even if that's true, and even if no operating system can be made completely secure, mightn't some be safer than others at the fundamental design level? Richard Forno, security consultant, author and former chief security officer at Network Solutions, thinks so.
While he expressed skepticism about mi2g's methodology and what he sees as a tendency toward sensationalism, he agreed that the Mac OS is intrinsically a safer architecture. "It's much more compartmented," he noted.
He said that unlike on Windows, applications installed on OS X don't patch the kernel at low levels. This is, he has suggested, "something Microsoft unfortunately can't accomplish without a complete rewrite of the Windows software -- starting with ripping out the bug-riddled Internet Explorer that serves as the Windows version of 'Finder.'"
He added that, "At the very least, from the all-important network perspective, unlike Windows, Mac OS X ships with nearly all Internet services turned off by default," and "unlike Windows, Mac OS X requires an administrator password to change certain configurations, run the system updater and when installing new software."
What about other non-Windows platforms? "OS X, as you probably know, is based on FreeBSD, so it's got Unix underpinnings, which is good. Unix, Linux, they're all about the same. NetBSD, I think, is specifically designed to be hardened."
OS X, he conceded, is not without vulnerabilities. "We never used to see these prior to OS X," Forno observed. "To my knowledge, the security issues affecting Mac OS X for the most part have been, for instance, a vulnerability with Apache or FSL -- things that hearken [back] to its Unix underpinnings. Welcome to the world of Unix."
Security by Obscurity?
Mi2g's conclusions appear to be based on the raw numbers of attacks in its 17,000-plus sample. With BSD and Mac OS representing only a tiny fraction of installed systems, the number of attacks on these systems is obviously low.
A more sophisticated analysis surely would relate the raw numbers to each system's user base. This is a much-argued point: Is Windows attacked so much because it is far and away the most prevalent platform? Do BSD and OS X appear safer because they are, as niche players, less targeted?
"According to our research, attacks on Mac OS systems are less pro rata than what would be expected by solely taking the 'security by obscurity' issue into account: Fewer vulnerabilities pro rata have been announced for Mac OS X than for other operating systems," an mi2g spokesperson told TechNewsWorld.
"However," he added, "a system running Mac OS X with applications that have glaring vulnerabilities will still draw a lot of successful attacks from hackers."
The Yankee Group's DiDio gives more credence to the "obscurity" argument, although her take on the issue does include malware vulnerabilities in addition to the denial-of-service attacks or other direct attacks measured by mi2g.
"In today's networked environment," she noted, "the most important parameter is the popularity and connectivity of the operating system. In that sense, Windows is the number one target. They've got 94 percent on the desktop; 66 percent of servers. And you've got a lot of interconnected networks globally."
High Degree of Connectedness
It is in that high degree of connectedness, she feels, that the greatest potential for damage lies: It only takes one or two successful local attacks for damage to spread quickly to a much wider area. For the time being, she said, Linux has an apparent advantage simply by virtue of a lower level of connectivity.
But, she added, "I have spoken to sophisticated Linux proponents running all-Linux environments who have been alarmed at the recent increase in Linux-specific hacks that have cropped up even in the last four to six months."
She went on to say there are differences between Windows hacks and Linux hacks that can make the latter "fairly dangerous and more difficult to initially pinpoint," mainly the fact that many attacks can propagate automatically without the need for human interaction, such as opening an e-mail attachment.
"Forget about the OS," DiDio concluded. "Don't even argue those merits. Every piece of software that is connected is potentially vulnerable and at risk."