Ramen, Slapper, Scalper and Mighty may sound like Santa’s new team of reindeer, but they are creatures far lower down the evolutionary ladder — and much less welcome. These are worms that have infiltrated Linux servers in recent months, commandeering the servers for use in distributed denial-of-service attacks. Linux enthusiasts who once believed they were less vulnerable to attack than Microsoft users have begun to wonder whether they were overly optimistic. Read the article at NewsFactor.
Is Linux Really More Secure Than Windows?
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
Isnt scalper a worm attacking FreeBSD/Apache?
Linux CAN be more secure than MS products. That doesn’t mean Linux automatically is. Just like any other OS, it is up to the admin to take extra steps to make a box secure and KEEP it secure. An incompetant admin running Linux doesn’t make me feel any safer than an incompetant admin running Windows 2000.
They sure are less vulnerable, and anybody who thought they would never get a worm or a virus was being foolish.
While it is possible to infect a Linux server (which uses unpatched softwares) it’s not near as common as an average Windows server, and require a great more deal of tuning and adaptability.
Software on top of Linux might not be secure, but Linux is.
As someone who knows little to nothing about security hacks, I have an honest question. If Linux had the same popularity of Windows (97% desktop market) wouldn’t there be more viruses being written and spread for Linux than Windows? How much of Linux security is in “Security by Obscurity”?
Of course if you eliminated all viruses that were Outlook or Outlook-Express only viruses the number of viruses for Windows would likely dramatically drop. There’s the biggest virus-magnet I’ve ever seen.
I’ve been witness to several instances of an unexperienced system Linux administrator setting up a Linux system only to have it hacked to pieces in a matter of days. Though this was mostly the fault of the distribution (Redhat 7, which was absolutely laden with security holes) coupled with inexperience, it stands to reason that, for unexperienced system administrators, it’s far easier to set up a reasonably secure Windows box than one running Linux.
I think open source vs. proprietary security is something of an apples-to-oranges situation. First of all, open source security is intrinsically faster-paced: attackers have access to the source code, easing the finding of exploits, though this is countered by the fact that so many can review the code to verify its security. Whether you choose to agree or not, I fully believe that the cloak of secrecy worn by proprietary software is an at least moderately effective countermeasure against the discovery of exploits, or at least an effective means of slowing down this discovery.
“Of course if you eliminated all viruses that were Outlook or Outlook-Express only viruses the number of viruses for Windows would likely dramatically drop. There’s the biggest virus-magnet I’ve ever seen.”
— That’s actually a pretty good point. If there was a way to get a bare bones Windows system (No browser, media player, email client, messenger, etc) and were able to load products aside from Microsofts on it you could have a pretty secure system. Most of the vulnerabilities are in their products (Word Macros, IIS, HTML Help, IE, Outlook) not in the Windows system itself.
Maybe the “security expert” was simplifying things for non-technical readers, but some of the statements were absurd. To paraphrase:
“Unix is older than Windows, so unix is more secure than Windows”
“Windows is older than Linux, so Windows is more secure than Linux”
Sounds strange to me, given that Linux is a re-implementation of unix (as if “unix” were a single OS)
Does that mean that FreeBSD is guaranteed to be more secure by virtue of being partly derived from old AT&T code?
This reminds me of something I read in an ancient Greek comedy (I forget where) that goes something like this:
Simpleton: My dog just fathered a litter of puppies.
Philosopher: Are you sure your dog is the father?
Simpleton: Definitely. I saw him mate with the puppies’ mother.
Philosopher: So he is a father?
Simpleton: Most assuredly.
Philosopher: And he is yours?
Simpleton: Yes.
Philosopher: He is a father, and he is yours, therefore he is your father, and the puppies are your brothers.
๐
“If there was a way to get a bare bones Windows system (No browser, media player, email client, messenger, etc) and were able to load products aside from Microsofts on it you could have a pretty secure system.” There was a M$ O.S. that didn’t have those components (at least, components that you could remove easily, without hosing the core O.S.), once upon a time (Windows 95). Unfortunately, those days are gone with M$-since they decide for us poor consumers what we need to operate on our PCs…
If Linux had the same popularity of Windows (97% desktop market) wouldn’t there be more viruses being written and spread for Linux than Windows? How much of Linux security is in “Security by Obscurity”?
I will answer “less”. But this meanly rely on users’ behaviours. Windows could be more secure if users would care more about security. However, the marketing from Microsoft was and still is heavily focused on “zero administration”.
They push people to think they don’t have to care about anything as their products are already configured and tuned. Microsoft focuses on ease of less to the expense of security, and that’s a very bad policy.
Hence, it’s not surprising to see so many virus spreading so easily on Windows computers.
That’s also why I bash Lindows for their “run as root by default” policy which makes the system extremely vulnerable to attacks.
To conclude, it’s not really the open source nature of Linux that makes it more secure, but the way it’s used. You can get a very secure system with open source solutions but if you don’t care and deliberately let everything open, don’t be surprised.
I think that there is no questioning that if linux held 97% of the market there would be virus everywhere for it. If linux does get to a point of usage runaway and gets a big chunk of the market virus will be it’s problem like they are for MS. But it will be an even greater proplem. The roadmap to how to go about infecting linux is laid out. Any would be virusser would have all they need to be able to figure out there plan, or get ideas. with something like windows they have to work hard to find an exploit. The only way most know about them is by people talking about them and showing where they are.
Yes having the source open means a fix could come quicker but the game is still lost since you have to get thins patched no matter what and those problems are no differant no matter what OS you run. The only fix there is auto patching like you can have in windows. But so many seam against such things that are there to truely help you.
The other problem is people beliving lots of people are out there continualy looking at all the source code of linux for vulnrabilities. The truth of the matter is much of it probably hasn’t had an eye on it since it was made. MS probably has more people looking through windows code for such things then all of the open source community does. Many people find vulnrablities in windows because there trying to find them often just to try and show windows is crappy or similar. If people didn’t go telling everyone about a hole they found there wouldn’t be to many people out there writing virus. Smart people would tell those who need to know to fix it. (MS, linus) Those who look through linux source for hole probably wouldn’t tell anyone what they found and would put it to bad use. Do you think a bad guy would tell the linux community of a flaw? I suspect some are sitting there just waiting for linux to get bigger then strike with a virus that could cause big damage. Security through showing your flaws is a horrable idea. You don’t see the military giving every country the specs on stealth fighters. Why do similar for OS’s. You don’t need the opertunity to have millions look over code to find flaws, you do need some though. One of the best ways to find flaws is the consumer test. Put it out and wait for something to come up. Then those behind the scence fix it. Let the bad people work for it.
Microsoft focuses on ease of less to the expense of security, and that’s a very bad policy.
I meant: Microsoft focuses on ease of use to the expense of security, and that’s a very bad policy.
Especially if a motivated person wants to write a virus. Really doesn’t matter what OS you might be championing, where there’s a will, there’s a way.
Unfortunately, some systems are easier than others.
Question & Title: Is Linux Really More Secure Than Windows?
Answer: YES!
> I think that there is no questioning
> that if linux held 97% of the
> market there would be virus
> everywhere for it.
That sounds smart, but actually, it doesn’t follow automatically. Look at web servers. In terms of web presence and usage, IIS is more obscure than Apache, and yet it has had more security problems.
That said, I think Microsoft is going to take security seriously, especially with this .Net agenda. From all accounts, they have decided to address the security issue. Don’t scoff, because, when Microsoft goes into something, they tend to stay there until they get it right. MS has money; they have smart people, and they have tons hardworking, competitive, champion-minded dudes who want MS to be the best in everything.
So I won’t be surprised if Windows becomes the most secure OS five years down the line. This is how MS works:
1. Build a shoddy, inferior product
2. Market it aggresively
3. And while the marketing is going on, keep working hard to make sure the product overtakes superior competitors, and eventually becomes the best product in the market!!
Think Internet Explorer.
hink stability -In Win2K/XP as compared to Win9*
Nevertheless, I think Linux give MS nightmares in the long run.
“That sounds smart, but actually, it doesn’t follow automatically. Look at web servers. In terms of web presence and usage, IIS is more obscure than Apache, and yet it has had more security problems.”
While this may be true (and it probably is), it still doesn’t hold water. Why? Even though there are more apache servers than IIS servers out there, what platform do you think the majority of crackers are using? And which do you think would be easier to write a virus/worm for .. a platform that you use and have tools for, or a platform in which you are not as familiar with?
Heck, on the Windows platform, you have lovely tools such as VBScript to play with. But if you’re on Linux, you probably don’t know shit about VBScript. Likewise, I am pretty sure I could write a perl script that would reak havoc on your Linux system, assuming you were brave enough to run it without looking at the code or knowing what it does
Also, if you go back and look at all the hacking tutorials from the early-to-mid 90s, you will notice that almost every single one of them are for hacking Unix systems. Heck, there were more ways to hack a Unix system than you could shake a stick at. Certainly, all the cracking gurus of the day weren’t running Windows 3.1, no? Is Windows 3.x really that more secure than Win9x?
These guys (or girls) are writing windows worms in vbscript on Linux with Apache? Please tell me how THAT works. I hear this all the time, yet when it’s broken down it makes NO SENSE as an argument whatsoever.
As many said already, many more bugs and security vulnerabilities would be discovered if Linux had 97% of the market, but Linux will also mature much faster by being open source.
If more bug/vulnerabilities can be discovered due to open source, more bugs are known. If more bugs are known more bugs are being fixed, which leads to faster pace of development, and reach a pretty solid state faster.
Closing the source and obscuring holes only slows down the maturation of a project. Sure as hell opening the windows sources right now would bring it to its knees pretty fast, but I bet one year after opening the sources the os would be _MUCH_ more safe.
Keep opening your sources guys, your OS will only be better sooner
he will probably say linux is more secure, but is definitely NOT perfect.linux is used on quite alot on webservers. saying that windows has 97 % of the low end machine market(desktop) is irrelevant. you have to wait for evolution to be installed on desktops to make a comparison at the low desktop level.
The majority of viruses/exploits target Microsoft/BIll gates products. More than likely written and hacked by linux gurus hehe. The fact is when linux is set up properly, the security it offers well surpasses windows. How about windows Firewall? ITs bogus. Its doesnt even work at the packet layer. You get an IP of a windows box, its only a matter of time before you can do something deviant to their system. Meanwhile if you have an IP of a linux box, what are you going to do? Unless the admin is stupid, you have to grab access and root to do anything substantial. If the box is running SSH, makes it harder. It makes it much harder that sending a trojan in an email to be opened by microsoft outlook. Fact is you install something as simple as linux mandrake 9.0 in higher security mode and run nmap, no ports are listed as open. Install windows and tell me how many ports are open? 5? 10? 20? 30? Unix has been around for over 35 years, windows.. well each version that comes out isnt even an upgrade from before.. its like a new OS each time,
He fact about (OS) security is:
Every computer connected to the internet is vulnerable.
There are frequent security patches from all os-manufacturer out there. Microsoft, Apple, IBM, the Linux community, etc…
They all had to defend their systems against hacking.
But I think Microsoft’s OSes are sometimes more vulnerable than the others because:
While the cost to hack unixes are often high (you have to do real hacking), you can violate Windows by doing some simple Outlook scripting. But Outlook isn’t a real part of Windows. In fact many of the secutity problems OSes have don’t come through the core OS, they come through running services and applications. Outlook, IExplorer, Apache, sendmail or even through Office Applications you can violate OSes nowadays. I think many application developers open to may doors to the os through their applications, because the want to offer more confort and flexibility. And this is not a Microsoft-only problem.
Ralf.
<#include upyoursNortonAV.h>
For starters, when did it become accepted to refer to a virus in the plural as “viruses?” I boycott all anti-viral software that uses the word “viruses” instead of the correct “virii.”
I think that the Newsfactor article was aimed more at increasing hits from an inflammatory headline and opening, that it was at journalistic substance.
The entire article had the distinct lack of meat in it (something hard for me to notice, being vegetarian.)
3 or 4 viral incidents doesn’t count as a plague, does it? As Dave Poirier said:
“anybody who thought they would never get a worm or a virus was being foolish.”
I have still yet to see an infection on any of the linux boxen I admin or use around my city. Couple that with the 2 or 3 virii that get knocked off at my Windows worksation *per day* (on average), and you begin to see a bit of perspective. Especially when you take into consideration the payload of some of these virii that get squished.
And then we take a look at these Worms. Aren’t worms like Ramen more aimed at security holes in other applications, such as wu-ftp or nfs? It’s also a little old and outdated.
As such, then we have to add the IIS, Outlook, Frontpage, Exchange et all, vulnerabilities to the list. Things get a bit murky now, eh?
The article seemed to be a bit of a troll. Can we Mod it down?
Notice that all the Linux viruses they mention just manipulate a known security issue fixed for over a month. So blame the users for not patching their servers (and to download *.BINs on the Net…
Big Al: Of course if you eliminated all viruses that were Outlook or Outlook-Express only viruses the number of viruses for Windows would likely dramatically drop. There’s the biggest virus-magnet I’ve ever seen.
Of course, if another app, say Evolution, or Kroupware, gets the market off Outlook/ OE’s hands, yeah, I’m sure a lot of over-buffering problems would be found (and trust me, no desktop user likes to patch their system every other day). So virus spreading can indeed be possible. One thing though, some ignorant users still open up *.vb and *.exe files that comes through their mailboxs, being naive about it. Imagine a spread of *.bin virus….
David Bruce: Does that mean that FreeBSD is guaranteed to be more secure by virtue of being partly derived from old AT&T code?
FreeBSD doesn’t have any At&T code. BSD in the beginning for like GNU for Linux. Then AT&T got jealous and made System V.
linux_baby: Don’t scoff, because, when Microsoft goes into something, they tend to stay there until they get it right.
Finally, something in this thread I agree ๐
Darius: Heck, on the Windows platform, you have lovely tools such as VBScript to play with. But if you’re on Linux, you probably don’t know shit about VBScript.
But then you have Perl or Python….
Ralf.: Every computer connected to the internet is vulnerable.
Yet another point I agree with…
Antarius: The article seemed to be a bit of a troll. Can we Mod it down?
NewsFactor itself is a troll, the only company they don’t bash is Apple…
Actually, the correct Latin plural for virus is viri, not virii. It’s a second-declension masculine noun. It would only be “virii” if the word were “virius”.
๐
While this may be true (and it probably is), it still doesn’t hold water. Why? Even though there are more apache servers than IIS servers out there, what platform do you think the majority of crackers are using? And which do you think would be easier to write a virus/worm for .. a platform that you use and have tools for, or a platform in which you are not as familiar with?
Your reasoning is good, but it actually works against your subject. Apache is available for whatever platform they’re working on, while IIS is not. In fact, IIS costs money, while Apache is free.
SO, it stands to reason that it is easier to write a virus/worm for Apache than for IIS. And where are all these destructive Apache worms, hmm? ๐
“Sure as hell opening the windows sources right now would bring it to its knees pretty fast, but I bet one year after opening the sources the os would be _MUCH_ more safe.”
Dave there is this syndrome you seem to suffer from its called not knowing what your talking about
I realize its cool and quite possibly can get you laid by geek girls to make such outlandish and unfounded comments like the one above but please don’t try to seduce us too.
You have no idea how many security holes there are in windows. For all you know there may only be a handful left in the actual OS (so much for making windows “assume the position” then) there is no definitive way of knowing. As for opening the source to make it safer – that obviously hasn’t worked in linux. The only OS that can claim that is OpenBSD and not just because they are open source in fact i’d say its mainly because they are fanatical about their security. So in all honest MS could just keep the source closed – and if they would just pay as much attention to security as OpenBSD does they would probably just as safe.
FreeBSD doesn’t have any At&T code. BSD in the beginning for like GNU for Linux. Then AT&T got jealous and made
System V.
—
rajanr they did have that, they had to strip it out .. i quite clearly remember that trial..
It should be easier to write worms and viruses for linux since the source code is available and you can see what is going on all over the system. You could just look at the assembly output by the compiler and don’t need to disassemble the binary file. This makes it much easier to find security holes than on windows but it also makes it easier to fix them as well.
It would be risky to use newer open source software that hasn’t been tested in the real world. Older applications should be safer.
The big difference between vbscript and perl is that only the perl interpreter runs perl programs. If you get to the point on a linux system where you can run a perl script then you might as well run a binary instead. VBscripts on the other hand run in all sorts of places in windows where security is an issue.
Kmail does not run scripts, you cannot click on an attachment and run a program in your mail, this a fundamental difference between Linux and Windows. Outlook is a stupid virus haven Linux mail programs are not. And popularity will not make them so. Outlook is by nature insecure if it was available on Linux there would be just as many outlook viruses. Outlook is the real culprit not its popularity.
“I realize its cool and quite possibly can get you laid by geek girls to make such outlandish and unfounded comments like the one above but please don’t try to seduce us too.”
I’m not making comments in order to get girls, if that’s what I wanted I’d go outside more often. As for the actual opening of the sources, I do believe it plays a part in the entire picture.
While it is true that it is currently impossible to say how many vulnerabilities are left in Windows, it is possible to extrapolate based on the various MS executive declarations. One of the major security concern of Microsoft is its weak API, some of which offer access to sections of the OS that are “secured”, those same API were not released to the public as a result of the DOJ vs Microsoft case and were marked as “potential security concern”.
Am I still sounding unfounded? Or should I actually also dig in the MSNBC and News.com archives for the actual quotes by the executives?
Having the sources of an operating system makes it easier for the hacker to find vulnerabilities, I think this is pretty much a given, not something I’m making up.
I’d give a little more spicy reply, but that wouldn’t be politically correct.
Educate yourself.
robert renling: rajanr they did have that, they had to strip it out .. i quite clearly remember that trial..
I didn’t implied that in the beginning they didn’t have AT&T code, well, heck, they do! The trial cause the birth of BSDLite.
So now, ALL claimed BSDs don’t have any At&T code, except those with UNIX branding (naturally).
Richard: Kmail does not run scripts, you cannot click on an attachment and run a program in your mail, this a fundamental difference between Linux and Windows.
Uhmmmm, Evolution does (and it is one of the most popular email clients on Linux now…). Heck, even my newspaper tech pullout had a few write ups and reviews of Evolution, never seen one for KMail.
So I think if tommorow WHO finds Windows hazardous to human health and passes a UN resolution to ban Windows, and everyone uses Linux, I’ll bet Evolution would be the top…
Dave Porierer: One of the major security concern of Microsoft is its weak API
I 100% agree. Unfortunately, it is Win32 and its apps that kept Windows in power for so long. I really do wish Avalon wouldn’t be a superset of Win32, rather a new API planed on paper with security in mind.
If there was a Latin plural of Virus it would be Viri. However, there
is no known example in a genuine Latin document of Virus being used in
the plural. As it means “poisonous slime, or nasty taste or smell”
that isn’t surprising.
The current English meanings of Virus are quite different from the
original Latin. IMO it should be treated as an English word, with the
plural Viruses.
And we certainly need a plural: there are enough of both the organic
and the software kind around.
Gah. Not the viruses/virii debate again. Sure, the Latin plural of virus may be viri, but the English plural of virus is viruses. Consult Merriam-Webster, there’s no virii there.
Sorry for being offtopic.
Likewise, I am pretty sure I could write a perl script that would reak havoc on your Linux system, assuming you were brave enough to run it without looking at the code or knowing what it does
This is bogus reasoning. The original message was talking about IIS security holes, which can be triggered without anyone running something for being too naive (except IIS, that is ;-)). This has nothing to do with convincing someone who has a root access to execute an unknown script under root.
Darius asked Is Windows 3.x really that more secure than Win9x? – I ask Darius: What exploits do you know of for Win3.x? It is (even more than Win9x) a shell on top of DOS, with an optional TCP/IP stack.
I don’t know of any remote exploits for either, though there were certainly enough .exe and email viruses for Win3.x.
As to the original post, Linux / Windows, there will obviously be more exploits for Linux as Linux gets more popular. I am actually thankful, as a Linux advocate, for these worms – they help to publicise the general SysAdmin fact that there is no such thing as secure out-of-the-box (not even for OpenBSD, any more) and a responsible sysadmin should always keep their eyes on Bugtraq et al, know what they’ve got installed, and know when they’re vulnerable.
The question about “If Linux had 97% share” is a very difficult one, as it implies more assumptions than it states – if Linux in its current form had 97% share, it wouldn’t have as many problems as Windows does, but if it has to implement a ton of insecure “features” to get that 97% share, then it would have just as many problems.
Also with that level of usage, the proportion of white hats would reduce – at the moment, there are a lot of security experts out there with a soft spot for Linux, and most of the s/kiddies haven’t heard of it. When there are more people looking at a thing maliciously than there are looking at it magnaminously, more holes will be exploited than reported.
so we are getting there now
et tu Rajan
haha ๐
hope ya get my email. Don’t like to be enemies with others you know, the only OSNews persons I’m still an enemy with is Speed and Stof….
If linux is getting hit pretty hard right now and at the moment it holds a tiny part of the market. What will happen when it hold 50% ? How many linux worms will come out? I believe all these security vulnerabilities are caused by no set standards through out the linux community.
Linux is not “getting hit pretty hard”, it’s only news because these things exist, not because they’re actually causing a problem. My Linux box has been on the net for 20 hours at the moment, and nothing has touched it. It’s just some Linux boxes running unpatched web services which can be affected by this.
How long would you last running an unpatched IIS server? My logs show that a whole 29 hours ago, someone was looking for /scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\ … so the answer is, that if you were on my IP address, you’d have been owned by now. Not just some little script on your machine, you’d have given that machine over to the script kiddies.
Anyone able to remember the first remote Windows exploit? Nah, thought not, there are too many to recall.
And as for the article claiming that Linux is even newer than Windows, let’s see, the Linux kernel has been under development since 1991, the Windows kernels (9x/NT) have been under development since the early-to-mid-1990s.
So Linux, although older than Windows, and distributing its source freely, is now, 11 years later, getting its first worm.
You guys took me WAY too seriously. Didn’t you notice the “:-D” at the end of my message??? Did I SAY we should use “viri” as the English plural of “virus”? Can’t I mock a guy pretending to know what he’s talking about without SOME leeway?!? Sheesh.
… is “Virus”. We Italians use that form, and since Latins were our ancestors, this is just true. ;-)))