The pending January release of Windows Vista raises questions about the security benefits of using one operating system over another.
Part 1 of this two-part series outlines the relative attractiveness of operating systems to hackers and other criminals. This second installment looks at the security “hardness” of popular operating systems in the face of increasingly sophisticated attacks.
Microsoft claims that Vista’s new architecture hardens it against vulnerabilities from viruses, spyware and adware attacks. However, users should be wary of putting too much faith in Microsoft’s ability to give them a locked-down computing environment.
Vista will be a significant step up in security for Microsoft, according to Gene Spafford, computer sciences professor at Purdue University, although it still contains some fundamental architectural flaws. Along with Windows XP, it will be the predominant platform for users and merchants.
“Thus, Vista will be a major target for criminals, even with the improvements,” Spafford told TechNewsWorld.
Instead of remaining with the Microsoft family of operating systems, users may achieve better security by switching to Mac or Linux.
However, those operating systems may be more secure only because their comparatively smaller user bases makes them lackluster targets for attackers.
There is a catch-22 at play in terms of the size of the user base, explained Ed Moyle, a security manager for CTG Information Security Services.
“I don’t think that other platforms necessarily offer more or better security. Instead, I think they demonstrate decreased security issues because of their decreased user population,” he said.
“The feasibility of attacking FreeBSD, Linux or Unix (or Mac OS) is not really a matter of speculation. It is a fact,” said Randy Abrams, director of technical education at ESET, who previously worked in Microsoft’s security operations department for 12 years.
Balancing the Options
Vista is the first major release in which Microsoft has been able to show a hardened product. “Linux is more robust — not necessarily more hardened,” claimed Jeff Huegel, CSO of USi Net. “All operating systems can be hardened to some extent. Unix and Linux are still in the realm of expert users who can make the tweaks to harden the systems.”
Security issues really do separate Windows from other choices, said Dale Laushman, CTO of the Uptime Group. For example, Red Hat and Suse Linux distributions are slightly more secure out of the box than Windows XP, he said.
“No operating system is secure enough to put on theInternet with the popular services running without eventually getting compromised,” he said.
Criminal activity associated with computing aimed at credit card theft, identity theft and phishing has been rising steadily for a few years. For hackers, Windows systems continue to be the target of choice because of generally poor security and because the majority of people use Windows along with the historically vulnerable Internet Explorer browser and Microsoft Word.
One of the major security problems Microsoft has faced involves the user-as-administrator model that it designed into many of its products, including the Windows OS, according to Abrams.
Compared with earlier versions of Windows, Vista will let users work effectively in a reduced-rights environment, so the operating system’s extra security will come at the expense of ease of use, noted Laushman. For instance, Vista modules and subsystems will be turned off and locked down by default.
Take the case of a Vista user who receives the following on-screen message: “XYZ application needs new Active X controls. Do you want to install them? Yes. No.” When the user clicks “Yes,” he or she is back in the old pattern of clicking “Yes” to all of the security or application pop-ups, as in IE and XP.
Linux is less vulnerable than Windows, because there is no centralized distribution of the OS, making it a much more difficult target for attackers.
The hacker code writers need to know the operating system’s base version and possibly have knowledge of the user’s personal information, said Helmuth Freericks, CTO at Authentium.
“An attacker would need a real incentive and considerable prior knowledge of his planned victims. This is the major reason why Linux will not become a big target for attackers. There is too much work for a relatively small scale payout,” he said.
Moving from Windows to Linux may not be the quick security fix that some envision, suggested Bob O’Dell, president and CEO of SecurityCoverage.
Linux proponents “have been living in a bubble,” he warned, “but that bubble could burst if the hacking world decides to go after them with the ferocity they’ve used in attacking Microsoft.”
Initially, the Mac OS has been relatively attack-free because of its 5 percent user base and the lack of a Mac server industry.
Apple built the Mac OS on top of FreeBSD, which had an advantage, according to Abrams — the lack of applications that ship with the basic operating system. Adding applications adds the potential for vulnerabilities.
“Apple has added a lot of applications missing from FreeBSD and, as such, probably leveled the playing field,” Abrams said. “The success of Apple’s marketing hype about a secure platform will probably play into the hands of criminals when they eventually focus on a set of users who are predominantly in denial.”
Linux and Mac OS users do not automatically gain privileged access to root or core operations — that feature is password-protected at all times. Vista will use a similar approach called “UAC” (user account control), which will pop up on the screen and query users for the administrative login and password before they can execute any privileged operations, according to Gerhard Eschelbeck, CTO at Webroot.
Very quickly, Vista users will be frustrated by UAC queries, said Eschelbeck, predicting that “it will not be a matter of months, but weeks, until we see the first malware creating the same user query with the intent of capturing administrative credentials.”