In my last post, I showed how the vulnerability counts for Ubuntu Dapper LTS were lower than Windows Vista. However, I also mentioned that this should be used only to counter Microsoft FUD, and not as a measure of security. What, then, shows that Linux is actually more secure than Windows?
To answer this, we first have to look at what security actually is. Too many people make the mistake of calling a product secure, e.g Linux is more secure than Windows, Opera is more secure than IE etc. Now, security is not a product. It is a process with the user in a central role. Security is a state to be actively attained by proper interaction of the user and the software. Vulnerability patch management is just an important part of this process. What are perhaps more important are proper tools for patch management, stronger defaults and a multilayered approach to security keeping in mind the practical security scenario for that particular software, with the user forming both the first and last line of defence.
With this is mind, I turn to the reasons why an educated user using a Linux distro is in general more secure than while using Windows:
Much better patch management tools: In Windows, the automated update procedure just updates the components supplied by Microsoft. No third party applications are patched. Now, third party applications make up the bulk of the security vulnerabilities. Using Real player? You have to update separately. Using Flash? Update separately. So, for all applications, you have to regularly check for updates for each and every software. This is extremely cumbersome, (though, fortunately, this experience is made tolerable by use of the Secunia PSI) and most users just forget to do it. In Linux, you have automated update system which will update all your software. In Ubuntu, any product you have downloaded, if present in the repository, will be updated at the single click of a mouse. In other distros, if the downloaded software is not present in the repository provided by the distro, adding the product repository is a one time process. This greatly increases user compliance in staying fully updated.
Much stronger default configuration: Linux was designed to be a multi-user system. Therefore, the underlying system files will remain protected even if the user is compromised. If, unfortunately, any remote code execution takes place, it will only take place locally. This is to be contrasted to Windows XP, where the user logs in as administrator by default, and any compromise takes on a system wide character. Windows Vista has also moved to a limited user account by default, and therefore is more secure than its predecessor.
Modular Design: Linux is modular by design, that is, any system component may be removed if unnecessary. As a result, if the user feels that a part of the system is more insecure, he or she may remove that component. The same cannot be said of the Windows system. e.g If I feel that Firefox is the most vulnerable part of my Linux distro, I may remove it completely and replace it with another browser, say, Opera. In Windows, I cannot remove Internet Explorer.
Better tools to protect against zero-day attacks: It is not always sufficient to keep oneself fully patched. Zero-day attacks (an attack where the exploit code is released before the vendor patches the vulnerability) are increasingly becoming common. One study has also shown that it takes only six days for crackers to release exploits, it takes vendors much longer to release them. Therefore, a sensible security policy will make provisions for zero-day attacks. Windows XP has no such provision. Vista, in protected mode, though useful, provides only limited protection to Internet Explorer Attacks. Contrast it to the protection provided by AppArmor or SELinux, both of which provide finely granular protection against any types of remote code execution attacks. It is increasingly becoming common for Distros to ship with AppArmor (e.g SuSE, Ubuntu Gutsy) or SELinux(Fedora, Debian Etch, Yellow Dog) by default. In others, they can be downloaded from the repositories (e.g AppArmor in Mandriva 2008)
Open Source Architecture: In Linux, it is mostly “What you see is what you get” as far as security is concerned. The Open code means that vulnerabilities are seen by “many eyes” and fixed as fast as possible. What, more importantly, this also means, is that there is no scope to hide the patched vulnerabilities, there are no hidden fixes. The user, if motivated, may find out the security issues known for his Operating System, and take precautionary measures against potential exploits, even if the vulnerabilities are not patched. In the Windows world, however, many security issues are hidden. Internally found flaws are not publicly released, and the vendor waits for a major update or service pack to patch silently. While this may lead to lesser vulnerability counts, and better publicity using flawed statistics, this keeps the user in ignorance. As a result, an user may not patch a system if he finds that he is not vulnerable to the reported vulnerabilities, while he may, in reality, be affected by a hidden patch.
Diverse Environment: The Windows environment has been likened to a monoculture. There is great homogeneity which makes it easier for crackers to write exploit code, viruses and the like. Compare this to the Linux world. Here, a program can be a .deb, .rpm, or source code, to name a few. This heterogeneity makes it difficult for crackers to have the widespread impact that is possible on Windows.
Finally, however, the security of a system is in the hands of the user. A knowledgeable user can use a Windows 98 safely, an ignorant user may even compromise OpenBSD based systems. Therefore, it is extremely important to know how one can be compromised, and how one can protect oneself against getting owned. Remember that!
38 comments:
Maybe security through obscurity. Windows has a so much larger user base. Linux can never change that, unless you get developers to back it, which they never will.
I think your "Diverse Environment" argument is a bit flat. I'm a Linux user and I agree with many things you've said, but the package that the program comes in does not effect exploits (once the program is installed, the exploits are the same). And if you're talking about making a file that can install and run, like a Windows virus, you can simply make it a Linux binary and bypass the whole package manager deal (which is probably a "good" idea - makes it harder to find/remove). A better argument for this point would be the fact that different distributions use different system structures, placing files/programs in a variety of places (i.e. Arch Linux likes big programs in /opt) making it harder for an attacker to be sure where to look for whatever devious thing they have planned. But in the end, they can still find a way...
Two criticisms. First, at the beginning you say that security is a process. Then in the very next sentence you say that security is a state. A state is fundamentally different than a process, so you have contradicted yourself right off the bat.
Second, you are overlooking the fact that the target audience for these two products is very different. Windows must be usable by the widest possible group of people. Linux has tended to target a relatively narrow audience of technically competent users. Some of your points apply only to those technically savvy enough to understand SELinux and other security enhancements, but that is not the Windows audience. Until Linux distros targeted at dumb-as-stone consumers are able to implement these security features in a transparent way, you should not count them as advantages for Linux.
Likewise for features like the ability to disable components that you fear are insecure, or studying source code for vulnerabilities so you can judge how much at risk you are. All these capabilities are irrelevant for the Windows target audience.
Developers have been the first ones to back Linux to the point that sometimes Linux is criticized as too developer centric.
Certainly Linux is not as popular as Windows, but that is not why it is more secure. Linux and UNIX have a huge share of the server market. Windows is more permissive allowing the end user more flexibility and less time entering passwords and reading dialog warnings. OSX is a little guilty of that too. Vista changed that somewhat. But overall Linux is more secure because of its overall design. Of course one can kill that theory by running X or terminal as root, but most distros try to warn you that that is not a bright idea.
linux (the os) is just as much of a monoculture as ms (the os). I have not looked but I'm sure there are alot binaries/source that are the same amongst all the distro's
my .00000129 cents worth
troth
http://encyclopediadramatica.com/Lunix
You start off by saying that Linux is more secure than Windows, then immediately attack MS for not keeping updates going on 3rd party apps. And to be clear, the automation of updates (in Linux) is NOT true for many, many applications once you step out of the prepackaged run-of-the-mill apps. I've got many apps that I have to manually update on Linux--and instead of downloading a new version, I have to grab source, config, compile, and install--frequently from a command line with vague documentation. Automated tools like RHUpdates and YUM only catch what the repositories say is out there. I'm not knocking Linux, I use it every day, and love it, but baming Microsoft/Windows for not providing an interface for 3rd party app updates is kind of like saying that Ford's responsible for software updates for your Ipod because you dock it with the onboard stereo system.
Linux is a monoculture? Do you even understand the word?
With Windows, you have one product released by one vendor. Sure, the one product has many flash names (Home, Business, Ultimate, etc.) but it's the same operating system with either increased or decreased functionality.
With Linux you have several different companies. Novell, Canonical, Debian, etc. You have radically different environments in all of them (same kernel, of course, but significantly different programs on top.)
And the important part: culture. With Debian, you have people who have strong beliefs about free software. Ubuntu is Desktop/user orientated. Gentoo is for people who want performance and the ability to tweak their OS. Look at just about any Distro, and each has a different purpose. The people who use one over all the rest are generally going to do so for a reason of their own.
What does Windows have? What does it offer? Paying more for functionality that should not have to be bought extra.
While Windows does have a larger user base it should be noted that Linux and even the Mac OS has gained more users lately. Maybe its not alot but it could signal a change.
@bitbucket
Really, you install packages manually?
What distro do you use? On Ubuntu, just about any linux program you could want is available via apt. And if it isn't, most OSS projects provide an apt mirror for downloading/updating. Even flash player 9.
If you're compiling from source, then you're doing so for a reason (I would hope). If you can figure that out, I'm confident you'll be able to stay up to date.
Microsoft already provides drivers for 3rd party hardware. It keeps track of Firewall/Antivirus software being up to date.
It's not much of a stretch of the imagination to think that Microsoft should consider making sure 3rd party (popular, commonly used) programs are up to date as well.
@anonymous
>Two criticisms. First, at the beginning >you say that security is a process. Then >in the very next sentence you say that >security is a state. A state is >fundamentally different than a process, >so you have contradicted yourself right >off the bat.
security is process when you upgrade,audit,check logs of software when you don't do that it is only current state
I think you're missing a couple pieces that make all the difference.
As far as updates go; you may be right that Linux is easier to update than Windows due to integrating apps together. However, you assume that the users are capable of updating. Your average Linux user says "Patching? Duh!" versus Windows which is "Patching? What's that?". Serving a larger more diverse crowd necessitates 'marking your territory' as far as what software you claim to be liable to support.
Also, Microsoft has central bug tracking and vulnerability support, which is not something that Linux has implemented yet across all distro's. Some can, sure, but not all. JPEG render code execution for example; it was reported as an issue, and within a week a fix was distributed. And that was a bad one. With Linux, I might have that vulnerability and never even know it. And don't say "Oh, the vulnerability isn't there!" or else i'll call you a Mac user. :P
To the first anonymous poster: Security through obscurity is what is practised by many closed source apps. Open source is transparent.
Mark, I agree with you to a vwery large extent. I meant to include those examples as well.
To the third poster: A secure process results in a secure state.
Further, Ubuntu, Mepis etc are targeted at dumb as stone consumers. I was very nearly dumb as stone when I first started using Linux. I can say that Linux actually made me a better Windows user.
bitbucket,I have not attacked MS for not using third party apps, but the first point is an important point in Linuxs favour.They have made a killer app with synaptic package manager or YUM, a killer app not found in the Windows world. Even though checking for third party updates is not Microsoft's lookout, still Linux distros deserve credit for taking care to install that app, as well as maintaining the full repositories. The patch management carried out by Ubuntu or RedHat is remarkable indeed, and they deserve kudos for that.
I have not needed to config and compile many apps(just one in my memory, for my stupid login program of my ISP, and even that is now a thing of the past). All the major programs are found in the repositories. Or you can add the repositories yourself. Windows could have provided that framework.
@ninja
Good point; some distros still don't do this well. But let's look at the most popular Desktop Linux Ubuntu.
You are notified when there are updates, right by the clock. You click, push 'upgrade', wait a few minutes, and you're done. In many ways it's comparable or better than automatic updates of windows (and no weird browser-specific stuff here, either).
No user should EVER need to manually patch something.
Microsoft's bug tracking isn't going to be used by most end-users. The same is not true with Ubuntu; if there is a problem, generally you post on the ubuntuforums website. If it's a bug, you are refered to launchpad which makes it very easy to users to submit bug reports, and get help.
Google for weird problems on linux, and you generally see a few launchpad pages. I can't remember the last time I googled windows problems and the Microsoft bug-tracker came up.
As for the JPEG bug, a program would have to be running at root for there to be any real effect. Assuming the bug affects one of the 0 listening services on a default Ubuntu install.
On Windows, with it's many listening services and most things running as Administrator... :)
ninjamidget, that is why it is very important to select a good distro.
My fault actually, I have been spoilt by Mepis, Ubuntu (and Mint), Mandriva, and SuSE. All of them inform me when a patch is available, by default. It is a one click process on these distros.
I intend to address the issue of patching and vendor response times in a later post (difficulty is, with all my work,I am a doctor after all, I have very little time for my hobby)
You're basing your conclusions both off a false premise, and faulty reasoning.
See: http://www.robertdowney.com/2006/07/unsupported-assertions.html
To the last poster, take a look at my previous blog post comparing Ubuntu and Vista OSes. Jeff Jones numbers were based on a bad use of statistics.And vulnerability counts are really a horrible way of measuring security, especially across vendors having different attitudes to patching.
Nothing new here... why are we getting hundreds of blogs and websites popping up about the advantages of Linux.
Anyone would think you are shoving it down peoples throats. You have to understand, people already know the advantages and disadvantages of Linux and Windows.
And jesus christ, is EVERYONE switching to Linux (n00buntu) lately or what?
Nobody is shoving Linux down others throats. People, starting with some early converts are coming to realize the benefits of Linux, and blogging about it.
This whole article is written from the perspective of a 7th grader. To be honest I stopped reading after the mention of AppArmour/SeLinux as they have nothing to do with preventing zero day. They are nothing more than strict access controls that may or may not be posixly correct, which is why they are not included in the mainline kernel.
This article is pure marketing fluff and anyone even remotely involved in security can tell you that security has nothing to do with marketing fluff. Also, by arguing that "linux is more secure" you have already lost the argument as any system, whether it be a computer, phone, or physical, is only as secure as it's user(s).
TL;DR This article was written by a 7th grader that doesn't even know what eip is, making anything they said either invalid or marketing fluff.
What nonsense, Apparmor and SELinux have nothing to do with zero days? Learn about what you are speaking. These two tools lessen the criticality of zero day exploits. The term I used was protecting against zero days, not prevention.With these tools, remote code exploits usually become harmless.
You have talked about "marketing fluff". I do not need to go into marketing fluff, I am satisfied with my own profession, thank you!
Give constructive criticism, blast at my mistakes, but do not distort the truth.
Your statements show that you have come here just to spread FUD!
I heard a recent poll showed Linux is used on every desktop ever.
One more thing: in e.g. Ubuntu, most packages come from one central place which is properly signed, with a low risk of including viruses.
Thanks Vincent, slipped my mind completely.
I haven't had a Virus on any of my Windows machines in YEARS, and I don't even run Antivirus software.
If you're getting Viruses on Windows then it's obviously a user error. Switching to Linux makes your OS more secure by default, but then you have the issues that come with Linux; namely sub-par software.
You won't find a decent replacement for alot of Windows apps, like the Adobe suite, foobar2000, Exact Audio Copy. Sure WINE and CEDEGA can work to a degree, but not 100% on all programs/games.
I used Linux for years but switched back to Windows full-time over a year ago, I felt Linux took too much time to do simple things, even setting up programs would be a nightmare if they didn't work off the bat.
Something else to consider is that Microsoft has complete control of the operating system. The default installation files are pretty much the same across all installations.
What if Microsoft decided to include, say, a file from Macrovision called secdrv.sys which allowed a hacker to gain complete control of your system. And let's say that said file was only good for gaming. Why has Microsoft decided to include it on *all* installations of XP and Server 2003?
Linux has no such dictates upon installation.
For more, please read this link
I like your review. I'm happy you didn't use 'Linux have got too small market share'-argument. AppArmor does great job, making exploiting of security hole nearly impossible and now you don't even need advanced technic knowledge to use it.
I really doubt that linux should target 'dumb as stone' audience. It should be user friendly and I have nothing against GUI configuration tools etc. But if it goes the way, GNOME took with its printing dialog ("Don't put too much options, because it could confuse the user) I think it's quite stupid...but it's another story ;)
"With Linux you have several different companies. Novell, Canonical, Debian, etc. You have radically different environments in all of them (same kernel, of course, but significantly different programs on top.)" -Termina
Guess you've never heard of the linux standard base.
http://www.linux-foundation.org/en/LSB
PoeticIntensity, thats the most retarded comment ever.
You really think Microsoft would include a file in it's installer that was specifically designed to give hackers / viruses easy access? Gimme a break...
Who's to say the packages you're installing from random repositories aren't filled with viruses? Unless you stick to the official repositories you just can't rule that out.
Anonymous,
I didn't mean that the purpose for inclusion of that file was just to enable hacking and cracking of Windows.
The file is a DRM file that enables games created by Macrovision to be played on Windows.
My point was that a file like that should be "optional".
Upon installation of Windows, that file is installed - period. You have no choice. You can delete it later on, but only if you know it exists. I have proof the file indeed exists (check your system yourself), and it's documented that the file contains code which can be exploited to allow a person to gain complete control of the system.
Using gentoo Linux (my distro of choice) starts with a very clean slate. The only things *required* are core packages which enable the OS to run. It doesn't even install a GUI by default, much less a hackable file used only for game play.
That was my only point. With Windows, the file secdrv.sys *is* installed. You have no choice in its installation, but can delete it later on. With Linux, it's not required - nor is anything you don't want or need.
I've documented more about this flaw here.
I hope that provides clarification of my point.
@Mark,
You don't understand very much about the ELF binary architecture, I guess. It is in a state referred to as "brittle," meaning it breaks easily between different kernel versions. Linus refuses to publish a static ABI, making the breakage situation permanent. That is why there is the joke about infecting yourself with a virus involving reading the README file and compiling yourself.
Just TRY to get a RH6.2 binary to run on Fedore Core 8 machine (without adding in special compatibility layers).
See my write-up on this topic at http://ibeentoubuntu.blogspot.com/2007/10/so-you-want-to-know-how-to-use-anti.html
Hi Nilotpal,
Interesting round up. I too am a physician with a lot of interest in linux and open source software. So I was interested to find someone with similar interests in this field. Contact me if you can and we will catch up on things some time.
I am inspired by this discussion where people just go every direction and argue from different angles. I think it will be more clear if we consider security problems from the framework I suggest here:
http://paulsdigitalworld.blogspot.com/2008/01/linux-vs-windows-operating-system.html
AMEN
What a load of fanboyism and myths :-)
Hi,
I think who is more secure is depends upon person to person.Bcoz Microsoft has lots of ways to secure the OS and Linux too.
But I thing common man do not know Linux more so he can't do some excepted changes regarding security.
And as per viruses are field windows are more viruses than Linux because only computer savvy peoples are using Linux but in the Windows case everyone is using that. So spreading viruses in Windows system is more easy and that can be more desirous which that attacker wants.
Thanks
Sachin
Nice article!
http://www.infinitelyvirtual.com
Post a Comment