On Bugs, Viruses, Malware and Linux

Among all the reasons geeks choose Linux, security is often near the top of the list.

And no wonder — personal preferences aside on all the other many relevant issues, there’s plenty of evidence to suggest our favorite operating system really is more impervious.

A study published in The Register a few years back, for example, not only concluded that Linux security then was even better than had been thought compared to Windows security, but also went on to label as “myths” and “logical errors” many of the most common arguments to the contrary — most notably, the oft-repeated idea that Linux suffers fewer attacks simply because it has fewer users than Windows does.

‘Not a Kernel Problem’

Yet when news came out last month that an attack by the “NULL Pointer” bug could exploit even a fully patched Linux kernel, a new cloud of dust was kicked up. Those on both sides of the operating system fence struggled to understand what it meant.

“The interesting angle here is the actual thing that made it exploitable, the whole class of vulnerabilities, which is a very serious thing,” Bas Alberts, a senior security researcher at Immunity, told The Register, for example.

On the other hand: “That does not look like a kernel problem to me at all,” Linus Torvalds is quoted as saying in an email message. “He’s running a setuid program that allows the user to specify its own modules. And then you people are surprised he gets local root?”

Bloggers on ZDNet, on Cnet, on Digg and others all chimed in with their own opinions, even after the problem was reportedly fixed.

‘Are We Too Naive?’

Perhaps it was in part the fresh controversy that inspired Linux Today’s Carla Schroder to pen a blog post late last month — entitled, “Linux doomed to virus plague. (Again.)” — in which she debunks yet again the endlessly recurring warnings that Linux will be subject to increased attacks once it achieves more widespread acceptance.

A talkback thread on Linux Today from around the same time, meanwhile, asked, “Are we too naive by believing that GNU/Linux is more secure by design?”

For Linux Girl, the message was clear: Time to do a little more investigating.

‘The Reality Is Much Less Severe’

“The headlines for this Linux security hole read like the apocalypse,” Slashdot blogger yagu told LinuxInsider. “The reality is much less severe.”

First and foremost, “to fully take advantage of the exploit, a user must have physical access,” he explained. “By definition, physical access is already a compromised system. Any security issues past that point is simply splitting semantic hairs.”

Linux is far more secure than Windows, yagu asserted.

“Linux is Unix — which, by the way, so are Macs,” he noted. “Unix’s architecture is fundamentally different from Windows, especially the defaults for how access to important system resources is granted.

“I’ve worked on Linux, HP Unix, IBM Mainframe Linux, Sun Unix, blah, blah, blah, and in my entire career NEVER seen a compromised system,” yagu added. “At the same time, I’ve worked with Windows to the extent that I’ve had to, and I stopped counting the times they’ve tanked because of attacks.”

Strength in Diversity?

Out of the box, “I believe that Linux is slightly more secure than either Windows or Mac OS X,” Slashdot blogger drinkypoo told LinuxInsider. “Windows Vista — with Service Pack 1 or better — has a superior implementation of ASLR to Linux, which in turn has a superior implementation to that of Mac OS X, though this has allegedly been upgraded in Snow Leopard.”

On the other hand, Linux is the only desktop operating system with capabilities-oriented security in the form of NSA-developed yet entirely open SElinux, drinkypoo noted. “While Unix implementations like Trusted Solaris have provided this functionality for some time, only Linux both has capabilities and is a serious contender for the mass market, including laptops, desktops, palmtops, and basically every other top you can think of.”Another saving grace for Linux might be the sheer number of distros out there, Monochrome Mentality blogger Kevin Dean suggested.

“Just as companies like Adobe have problems packaging and maintaining Flash for Linux because of the various formats and standards the filesystem takes, so do would-be malware producers,” he told LinuxInsider. “Getting a script or binary running on a system without leaving some out-of-place traces on any possible distro is hard.”

‘The Damage Is Contained’

Most exploits have also moved “off of the OS itself and onto the applications and users,” Montreal consultant and Slashdot blogger Gerhard Mack told LinuxInsider. “One advantage for Linux in this case is that most applications run fine as non-root, so the damage is contained. If someone manages to gain root on Linux, there is no option but to reformat, and now it’s becoming the same way for Windows.”

The other advantage Linux has over Windows is that “most distros have an update system that is easy for third parties to add themselves to,” he noted. “This is something I really wish Microsoft would do for Windows, since that would mean Microsoft apps won’t need to either have an administrator running update app or require administrator access to update the software on startup.”

It’s also important to note that “since most malware these days is designed to either spam the net or be used as a DDoS host, the malware doesn’t need to actually gain administrator access to cause trouble,” Mack added. “So the main advantage for secure environments is the easier cleanup or the lack of software ability to install a key grabber.”

‘Not Just About Popularity’

For proof that it’s “not just about popularity,” Mack cites the fact “that Apple has gone from 60 or so known viruses in OS9 to none in OS X, even though their market share has only gone up since then.”

Linux, in fact, “went though its ‘plague’ five to 10 years ago, where we had a constant stream of tools designed to attack Linux daemons,” he asserted. “That has mostly eliminated itself thanks to most distros dumping software with a history of insecurity and pushing for more non root daemons as well as not running more than what the user needs.”

Carla Schroder is “right on in pointing to the widespread use of GNU/Linux on the WWW infrastructure to show how secure GNU/Linux can be,” blogger Robert Pogson told LinuxInsider. “Any OS can be attacked, but with reasonable security precautions, it takes a serious/critical vulnerability to let the attack succeed.”

‘Let Them Step Up’

GNU/Linux has “its share of vulnerabilities,” but “they are much fewer than that other OS because of the openness and modularity of the software,” Pogson explained. “I learned long ago how hard it is to fix spaghetti code. It is the same thing when your browser plays God in an OS or is allowed to install software or multimedia files that may be executable.”

GNU/Linux accounts for about 10 percent of PCs, Pogson added. “If, at that level, we have never seen a botnet, we will not for a few years more,” he said.

“Freedom from malware for a few more years is worth many times the cost of migration to GNU/Linux,” he asserted. “In the meantime, we have time to adopt best practices and to harden GNU/Linux even more than the long-standing Unix permissions and recent improvements.

“If the anti-malware industry has anything to offer GNU/Linux,” he added, “let them step up.”

‘The Velma Problem’

Windows systems are “exceptionally insecure” for a number of reasons, agreed Chris Travers, a Slashdot blogger who works on the LedgerSMB project.

“Most programs are more likely to need administrator access on Windows than on Linux or Mac, and users of Windows are conditioned to downloading and running cute attachments from email,” Travers explained.

Indeed, Slashdot blogger hairyfeet calls it “the Velma problem, which I named after a customer who you could actually send an email to that said, ‘turn off your antivirus and look at these puppy pictures!’ — with a file attached called ‘happy_puppy.jpg.exe’ — and she would run it, every single time,” he recounted.

“The worst case I had was a guy that would run ANYTHING that had the word ‘lesbians’ in it,” he added. “The antivirus could scream, the antispyware would do everything but throw itself in front of the guy trying to stop him, and he would ignore or even turn off all his defenses to run ‘hot_lesbians.mpg.exe’.”

‘With a Smile on Her Face’

The fact that Linux is CLI-heavy has helped it to stay malware-free, hairyfeet told LinuxInsider, “because you need to have some smarts to run it. Linux users are also more security conscious and won’t just run email attachments or click on spam.

“But if you ever get rid of CLI, which is what I think will need to happen to get market share, and actually manage to lure the ‘Velmas’ and all their friends to Linux?” hairyfeet continued. “Well then your friends at the Russian Business Network and their friends in China and Nigeria will be writing ‘Happy_Puppy.jpg.sh’ and sending it along with nice easy-to-paste instructions that Velma will follow with a smile on her face.”