Windows vs Linux Security
From: Dave (macquigg_at_ece.arizona.edu)
Date: 15 Sep 2003 11:04:31 -0700
Starting a new thread here, because "M$ Attack on Common Sense" is
getting long and wandering off topic. I'm no expert on computer
security, but I've been reading avidly this last week, after going
through hell the previous week. Here is what I've been able to learn.
Comments are welcome.
I see four lines of defense:
1) Hardware Defenses. Is the hardware designed so that there is no
way it can be damaged by anything that happens at the software level?
2) System Isolation. Is the core system designed so that there is no
way it can be damaged by anything that happens at the user level?
This would include viruses, hung programs, or any random code that
happens to accidentally fall into the instruction registers while in
3) User Isolation. Is the system and all of its users protected
against anything that can happen in another user's account? Viruses,
random code, etc.
4) Applications. Are all of the applications designed so that there
is no way malicious code can be run without tricking the user to run
it? Do these applications recognize a request to run code (even if it
is disguised as something else) and provide the user an easy way to
run it in isolation.
Seems to me that the Level 1 and 2 problems have been solved, Level 3
problems are still with us, but will be eventually solved, and Level 4
problems will be with us always. At level 4, the best we can do is
educate users to be wary about running any un-trusted code, push
application developers to provide warnings when such code is about to
be run, and push security companies for ever-better anti-virus
As a fairly competent user, I would be happy with a robust solution to
the Level 3 problems. That will at least isolate me from whatever
happens in the kid's accounts, or my own "junk" account. Better
programs at Level 4 would be nice (and probably essential for naive
users) but I personally can live with occasionally having to switch to
my "junk" account to open a strange email attachment.
Here is my current understanding of the Linux vs Windows security
Levels 1 and 2) No problem with either system.
Level 3) It looks like Linux has a very robust isolation of user
files and processes, and Windows does not. In the previous thread, I
got not a single response to my challenge for anyone to show me code
that could destroy anything or access "read-only" information outside
my "junk" account on Red Hat 8.
Microsoft is talking about building a new OS "from scratch".
http://www.pcmag.com/article2/0,4149,991132,00.asp This gives me a
feeling that Microsoft realizes the enormity of the security problem
and the impossibility of fixing it by adding a multi-user layer on top
of what is essentially a single user system. On the other hand,
Microsoft has demonstrated that it can make an enormous unstable
system stable. Maybe they can fix the security problems by "brute
force" and lots of money.
Level 4) I see no fundamental advantage of one system over another,
but a current advantage for Linux, because it is a less attractive
target than Windows. This is a result, not of anything inherent in
the OS, but simply that virus writers will attack the most popular
applications, and to some extent, a company they perceive as an "evil
I do see an advantage in open-source development, and to the extent
that Linux encourages such development, I believe Linux applications
will be more secure. But again, this is not inherent in the OS
itself. Open-source programs can be run on either platform.
As a user of both Windows and Linux, I am *not* alarmed by the long
list of bugs reported in Linux.
http://www.linuxsecurity.com/advisories/index.html In fact, I find it
re-assuring to get occasional alerts from Red Hat when one of these is
a security patch which affects my system. Almost always, these are
obscure problems that *could* be exploited, but haven't been. The
people who discover these problems get credit for their work, and that
may be one reason they use their talents for good, not evil.
Are there many more undiscovered holes at the application level? No
doubt there are. At the user-isolation layer? I don't think so, but
I am listening carefully for any evidence to the contrary.