Is Linux just as vulnerable as Windows?
The battle continues where many people argue that Linux is just as vulnerable as windows. Some argue that open source software is more vulnerable to attacks than proprietary software and some argue just the opposite.
The battle continues where many people argue that Linux is just as vulnerable as windows. Some argue that open source software is more vulnerable to attacks than proprietary software and some argue just the opposite. Suppose linux was to be the main stream OS, would we be having the same kinds of issues that the Windows has? Here is a recent article that discusses the top ten vulnerabilties for both Windows and Linux:
http://www.sans.org/top20/
Please post your opinions.
http://www.sans.org/top20/
Please post your opinions.
Participate on our website and join the conversation
This topic is archived. New comments cannot be posted and votes cannot be cast.
Responses to this topic
Is Linux just as vulnerable as Windows?
Some problems I've noticed with this question.....
1. Linux is not one OS, just as Windows is not one OS.
A better question would be: "Is (insert Linux distro here) just as vulnerable as (insert Windows version here)?
2. What is a vulnerability?
Answer: Flaw in OS, The User?, Physical Access to system, processor execution of code, etc.
Now, here's what I've seen from my experience in the military. I seperated in Dec, but from my discussion's with my friends this is the current status.
Most AF networks nowadays are Windows XP with Windows 2000 servers (a few dedicated NT4 servers) slowly being upgraded to Windows 2003 and of course Unix/Linux distros for certain organizations on base. Usually in AF networks Unix/Linux is relegated to firewall/intrusion detection/External DNS.
Really, Who would trust their network with a Microsoft Firewall? The AF doesn't. They use Secure Computing Sidewinder which uses a customized version of BSD. So, right there you see that Microsoft is not as good as Unix/Linux in the firewall department, or intrusion detection or DNS really.
Speaking of DNS. We've all used it, we're using it right now. What are most internet sites that host DNS using for their DNS? Are they using Microsoft DNS? Of course not! They're using BIND! Why? Because that's the standard! It works much better than Microsoft's version since MS version is based off of BIND!
How about Print servers? Anyone here ever use a Linux printer server and an MS print server? How much trouble does your Linux printer server give you compared to your MS print server? Not much! For some reason from NT4-2003 the print spooler in Windows always seems to mess up, not so with the Linux print spooler.
So far we have Linux/Unix beating MS in Firewall, intrusion detection, DNS, print spooler.
Basically what we see here is that MS for far too long has focused mainly on the desktop/server market....and basically getting by with the "if it works, don't fix it...just make it prettier department".
As for the arguments that Open-source code is easier for coders to get access to and create viruses and that since Windows source is closed that coders have a harder time creating viruses....that's true. But wait a minute! That obviouslly hasn't stopped them! It's not like we need Windows kernel code to create a killer virus. Viruses are released all the time created with simple macro or system commands/API's that are easily run on Windows systems as long as the user as administrator access. The fact that *nix users are commonly taught to not use root whereas your not really told to do so on a Windows system is one more reason why *nix is more secure. Heck, just install Windows XP and by default it'll make you an administrator.
Some problems I've noticed with this question.....
1. Linux is not one OS, just as Windows is not one OS.
A better question would be: "Is (insert Linux distro here) just as vulnerable as (insert Windows version here)?
2. What is a vulnerability?
Answer: Flaw in OS, The User?, Physical Access to system, processor execution of code, etc.
Now, here's what I've seen from my experience in the military. I seperated in Dec, but from my discussion's with my friends this is the current status.
Most AF networks nowadays are Windows XP with Windows 2000 servers (a few dedicated NT4 servers) slowly being upgraded to Windows 2003 and of course Unix/Linux distros for certain organizations on base. Usually in AF networks Unix/Linux is relegated to firewall/intrusion detection/External DNS.
Really, Who would trust their network with a Microsoft Firewall? The AF doesn't. They use Secure Computing Sidewinder which uses a customized version of BSD. So, right there you see that Microsoft is not as good as Unix/Linux in the firewall department, or intrusion detection or DNS really.
Speaking of DNS. We've all used it, we're using it right now. What are most internet sites that host DNS using for their DNS? Are they using Microsoft DNS? Of course not! They're using BIND! Why? Because that's the standard! It works much better than Microsoft's version since MS version is based off of BIND!
How about Print servers? Anyone here ever use a Linux printer server and an MS print server? How much trouble does your Linux printer server give you compared to your MS print server? Not much! For some reason from NT4-2003 the print spooler in Windows always seems to mess up, not so with the Linux print spooler.
So far we have Linux/Unix beating MS in Firewall, intrusion detection, DNS, print spooler.
Basically what we see here is that MS for far too long has focused mainly on the desktop/server market....and basically getting by with the "if it works, don't fix it...just make it prettier department".
As for the arguments that Open-source code is easier for coders to get access to and create viruses and that since Windows source is closed that coders have a harder time creating viruses....that's true. But wait a minute! That obviouslly hasn't stopped them! It's not like we need Windows kernel code to create a killer virus. Viruses are released all the time created with simple macro or system commands/API's that are easily run on Windows systems as long as the user as administrator access. The fact that *nix users are commonly taught to not use root whereas your not really told to do so on a Windows system is one more reason why *nix is more secure. Heck, just install Windows XP and by default it'll make you an administrator.
Interesting response. So...
MS not being used in firewalling is a common thing. I mean, why install a host OS, then a firewall application on a server when you could just use some form of appliance like a PIX (we like these, along with Netscreen products as we had issues with Sidewinders).
Most AD deployments break DNS into multiple zones, especially when fielding multiple forests. It is common to use MS DNS for the clients in the forest to resolve intra-forest resources, while using a hardened DNS for inter-forest and non-AD assets. Bear in mind that no government agency relies on pure BIND, as it has been one of the most hacked applications in history but rather a BIND hybrid (DNS application that supports BIND behaviors and protocols) called "Protected DNS", and is usually provided by a vendor. It is highly doubtful that you would see a simple BIND installation on a RedHat server hosting sensitive records.
Haven't had a need for a non-Windows print spool host (many of our printers are network-aware, so we host the spoolers elsewhere) but that's just us.
Well, we do have Lindows/Linspire for the "root user" argument, but this is more an issue of education. I still see noobs logging in as root doing basic stuff, only to get attacked on forums and IRC channels for doing it (and rightly so). However, most Windows users don't think twice about this because this was how they were taught, not that this was "forced" upon them for day-to-day use.
Yes, the XP installation will not only grant your initial user account admin rights, but it will also let you logon with no password. Completely stupid. In addition, MS did try to re-train admins in Windows 2000 with "run as", which is similar to "switch user" (su). While Windows still has "Power Users" (think full-time "sudo") many things still don't work right unless you are a full admin when installing them. In fact, you might not even be able to use application after it has been installed because of poor installation design (improperly placed files and reg keys during setup with restricted access only admins can get to). In addition, just running "setup.exe" might launch the installer, only to find out that it's a decompression program that expands the application, and launches the real installer with your normal credentials. This can happen in Linux when trying to install applications and other complicated administrative tasks using sudo, and you wind up going "su -" and running it as a full admin. The point is that MS tried, but nobody is bothering to learn how to make it work.
MS not being used in firewalling is a common thing. I mean, why install a host OS, then a firewall application on a server when you could just use some form of appliance like a PIX (we like these, along with Netscreen products as we had issues with Sidewinders).
Most AD deployments break DNS into multiple zones, especially when fielding multiple forests. It is common to use MS DNS for the clients in the forest to resolve intra-forest resources, while using a hardened DNS for inter-forest and non-AD assets. Bear in mind that no government agency relies on pure BIND, as it has been one of the most hacked applications in history but rather a BIND hybrid (DNS application that supports BIND behaviors and protocols) called "Protected DNS", and is usually provided by a vendor. It is highly doubtful that you would see a simple BIND installation on a RedHat server hosting sensitive records.
Haven't had a need for a non-Windows print spool host (many of our printers are network-aware, so we host the spoolers elsewhere) but that's just us.
Well, we do have Lindows/Linspire for the "root user" argument, but this is more an issue of education. I still see noobs logging in as root doing basic stuff, only to get attacked on forums and IRC channels for doing it (and rightly so). However, most Windows users don't think twice about this because this was how they were taught, not that this was "forced" upon them for day-to-day use.
Yes, the XP installation will not only grant your initial user account admin rights, but it will also let you logon with no password. Completely stupid. In addition, MS did try to re-train admins in Windows 2000 with "run as", which is similar to "switch user" (su). While Windows still has "Power Users" (think full-time "sudo") many things still don't work right unless you are a full admin when installing them. In fact, you might not even be able to use application after it has been installed because of poor installation design (improperly placed files and reg keys during setup with restricted access only admins can get to). In addition, just running "setup.exe" might launch the installer, only to find out that it's a decompression program that expands the application, and launches the real installer with your normal credentials. This can happen in Linux when trying to install applications and other complicated administrative tasks using sudo, and you wind up going "su -" and running it as a full admin. The point is that MS tried, but nobody is bothering to learn how to make it work.
It also (surely) has to be the case that one of the reasons that Windows appears to be so 'insecure' is purely because it must recieve a lot attention from unwanted sources. What I mean is, 1 (of course not the only) reason is that some people what a big coverage of thier new little virus/hack/malware. The easiest way to do this in the average consumer market is to target Windows.
It will be interesting to see what happens as various Linux distros continue to grow. I'm not saying that Linux has similar flaws however surely with more brains trying to break it, the probability of such a similar situation must increase.
There's also the arguement that guys running Linux know thier OS better (as mentioned above). True, but what happens when the line is crossed whereby the average person who doesn't know much about Linux starts using it? Maybe initially things will be ok, but there could well be a spiralling out of control moment where every man and his dog is distributing some form of Linux. Of course with Windows, its Microsft behind it. With Linux? Well, there could potentially be an explosion of really bad distros knocking about with money grabbing cowboys behind them. Of course, this isn't a true reflection of Linux since it's great if you do it right.
As the popularity of Linux grows, things can only get worse if the quality/configuration etc isn't managed correctly.
S
It will be interesting to see what happens as various Linux distros continue to grow. I'm not saying that Linux has similar flaws however surely with more brains trying to break it, the probability of such a similar situation must increase.
There's also the arguement that guys running Linux know thier OS better (as mentioned above). True, but what happens when the line is crossed whereby the average person who doesn't know much about Linux starts using it? Maybe initially things will be ok, but there could well be a spiralling out of control moment where every man and his dog is distributing some form of Linux. Of course with Windows, its Microsft behind it. With Linux? Well, there could potentially be an explosion of really bad distros knocking about with money grabbing cowboys behind them. Of course, this isn't a true reflection of Linux since it's great if you do it right.
As the popularity of Linux grows, things can only get worse if the quality/configuration etc isn't managed correctly.
S
Indeed. I remember when there was a standards body trying to standardize on a package management system. This was when the Linux community had a perfect time to show that it could ( http://slashdot.org/articles/02/02/01/141215.shtml):
1. Come together and stop running down separate paths in an effort to promote usability, and
2. Back a system that promotes good design, rather than a system that has more corporate backing
Well, the LSB decided to back RedHat Package Management (RPM) over apt. This is funny, considering that you couldn't even get all of the RPM-based distros to agree on a common installer themselves, much less get all distributions to agree to use RPMs in general. What makes this funny is that people complain that MS has leveraged its popularity to push its standards, and here we are with the advantages of Open Source and seeing the same thing. Of course, I think people of all sorts can agree on the biggest abuse of this type: Apple and the iPod. Controlling the proprietary DRM functionality of the "Open Source" AAC format (at least according to Apple it was Open Source).
Ever since this LSB/RPM fiasco I stopped caring about standardizing Linux. Some can, and will, argue that this is what Linux is about; choice. You can choose your distro, you can choose to compile from scratch, and you can choose to ignore a standards body that insists on smoking crack. However, how long do you think not following a standard can run without doing real damage to the movement? Only time will tell.
1. Come together and stop running down separate paths in an effort to promote usability, and
2. Back a system that promotes good design, rather than a system that has more corporate backing
Well, the LSB decided to back RedHat Package Management (RPM) over apt. This is funny, considering that you couldn't even get all of the RPM-based distros to agree on a common installer themselves, much less get all distributions to agree to use RPMs in general. What makes this funny is that people complain that MS has leveraged its popularity to push its standards, and here we are with the advantages of Open Source and seeing the same thing. Of course, I think people of all sorts can agree on the biggest abuse of this type: Apple and the iPod. Controlling the proprietary DRM functionality of the "Open Source" AAC format (at least according to Apple it was Open Source).
Ever since this LSB/RPM fiasco I stopped caring about standardizing Linux. Some can, and will, argue that this is what Linux is about; choice. You can choose your distro, you can choose to compile from scratch, and you can choose to ignore a standards body that insists on smoking crack. However, how long do you think not following a standard can run without doing real damage to the movement? Only time will tell.
Originally posted by clutch:
Quote: However, how long do you think not following a standard can run without doing real damage to the movement? Only time will tell.
LOL. When I read that I immediately thought of IE and web compliance. Not as much as a factor today for Mozilla/Opera as it was a while back (except of course for ActiveX, but who cares about that for Internet use)....but it sure does create Havok when MS Frontpage does one thing and a web compliant browser expects the proper way to render a page.....Yes, Standards are a Good Thing.
I would say the most sane response to a "Is (insert OS here) less vulnerable than (insert OS here)." would be that the company that supports their OS should have the less vulnerable OS.
Now obviously the larger an OS is, the more vulnerable it will be. Not until Linux has grown to the userbase of Windows installations and has the same amount of application support we can not really prove that Linux is less/more vulnerable than Windows....but in certain specialized situations you can determine in which areas Linux or Windows are more suited to their particular environments and THEN determine which is better in that particular situation. I alluded to that above.
Perhaps we could start a thread describing situations and determine which OS should be used in certain scenarios? Hey! That could be fun!
Quote: However, how long do you think not following a standard can run without doing real damage to the movement? Only time will tell.
LOL. When I read that I immediately thought of IE and web compliance. Not as much as a factor today for Mozilla/Opera as it was a while back (except of course for ActiveX, but who cares about that for Internet use)....but it sure does create Havok when MS Frontpage does one thing and a web compliant browser expects the proper way to render a page.....Yes, Standards are a Good Thing.
I would say the most sane response to a "Is (insert OS here) less vulnerable than (insert OS here)." would be that the company that supports their OS should have the less vulnerable OS.
Now obviously the larger an OS is, the more vulnerable it will be. Not until Linux has grown to the userbase of Windows installations and has the same amount of application support we can not really prove that Linux is less/more vulnerable than Windows....but in certain specialized situations you can determine in which areas Linux or Windows are more suited to their particular environments and THEN determine which is better in that particular situation. I alluded to that above.
Perhaps we could start a thread describing situations and determine which OS should be used in certain scenarios? Hey! That could be fun!
Great, I had a brilliant post written but then I lost it. Oh, well the following is just the obvious regurgitated in simple form.
IMHO, the sanest answer to the question, "Is {insert *nix distro here) just as vulnerable as Windows?"....
Until a *nix disto has as much of a user base as Windows,has as much software support, AND has a major company like MS backing it up, THEN you can compare the two. Until then you can only really compare them in certain specialized uses.
Example:
Browsing internet with *nix.
Browsing internet with Windows.
Assuming no firewall is protecting either system which system will be most affected? Of course Windows. But why?
Because IE is integral to the OS.
Because IE is more popular and thus has more vulnerabilities.
I would say that using the old "Security through obscurity" saying that Linux is not as vulnerable as Windows.....not yet.
IMHO, I believe that in some ways MS is doing a better job at security.
Could they do better? Of course.
Will they do better? Of course.
Will they release fixes fast enough to satisfy the public?
Of course not. The larger and more popular the OS, the longer it takes to release the fix.
IMHO, the sanest answer to the question, "Is {insert *nix distro here) just as vulnerable as Windows?"....
Until a *nix disto has as much of a user base as Windows,has as much software support, AND has a major company like MS backing it up, THEN you can compare the two. Until then you can only really compare them in certain specialized uses.
Example:
Browsing internet with *nix.
Browsing internet with Windows.
Assuming no firewall is protecting either system which system will be most affected? Of course Windows. But why?
Because IE is integral to the OS.
Because IE is more popular and thus has more vulnerabilities.
I would say that using the old "Security through obscurity" saying that Linux is not as vulnerable as Windows.....not yet.
IMHO, I believe that in some ways MS is doing a better job at security.
Could they do better? Of course.
Will they do better? Of course.
Will they release fixes fast enough to satisfy the public?
Of course not. The larger and more popular the OS, the longer it takes to release the fix.
With regards to this security issues and which is more secure than what. Could it be true that if someone somewhere in China incorporated a few lines of code into the so-well known open source code software (*nix) and submitted this "new security solution" to the main headquarters for distribution and regular daily updates, but then and somehow it turns out that these new lines code spies into everyone's computers and at the same time it would know where you'd go in the internet and every key stroke that you type. Could this scenario be true for *nix? Could this happen one day in the future? What prevents this happenning? Or am I just bluffing and recounting M$ experience with this?
Much like these?
http://www.egocrew.de/download-category-4.html
http://www.packetstormsecurity.org/UNIX/penetration/rootkits/
Now, just think what would happen ( or did it?) if one of these was uploaded to a "legitimate" site and thousands of downloads occured before it was caught.
http://www.egocrew.de/download-category-4.html
http://www.packetstormsecurity.org/UNIX/penetration/rootkits/
Now, just think what would happen ( or did it?) if one of these was uploaded to a "legitimate" site and thousands of downloads occured before it was caught.
Quote:q clutch
Moderator
Posts: 3816
Joined: 2000-03-28
Member No.: 2798
Much like these?
http://www.egocrew.de/download-category-4.html
http://www.packetstormsecurity.org/UNIX/penetration/rootkits/
Now, just think what would happen (or did it?) if one of these was uploaded to a "legitimate" site and thousands of downloads occured before it was caught.
Look scary...I wasn't aware of this.
Moderator
Posts: 3816
Joined: 2000-03-28
Member No.: 2798
Much like these?
http://www.egocrew.de/download-category-4.html
http://www.packetstormsecurity.org/UNIX/penetration/rootkits/
Now, just think what would happen (or did it?) if one of these was uploaded to a "legitimate" site and thousands of downloads occured before it was caught.
Look scary...I wasn't aware of this.
