Re: Will Linux become as vulnerable as MS ??

From: Nils Petter Vaskinn (no_at_spam.for.me.invalid)
Date: 02/12/04

  • Next message: Sukhbir Dhillon: "Re: Can I delete these safely" 
    Date: Thu, 12 Feb 2004 11:29:48 GMT

    On Wed, 11 Feb 2004 19:36:58 -0800, Jim Richardson wrote:

    > You're mixing up a few things, and ignoring others.

    I don't think I mix up much. I have chosen to ignore a few things because
    I wasn't talking about beeing vulnerable to worms, I'm talking about
    beeing vulnerable to viruses.

    >
    > 1) Unlike OE, IE, et al, Linux doesn't conflate open() and exec().

    I never said it did. But people sometimes infected by viruses from files
    that they know are executable, and execute intentionally. Like
    some_famous_person_nude.exe, some_game_cracked.exe
    some_file_I_got_from_my_mom_so_it_must_be_safe.exe

    > 2) While a few years ago, RH et al, had a problem with turning every
    > dang dæmon on "just in case", that's no longer the problem it was. Now,
    > the tendency is to have nothing turned on without express human action.

    Yes. But any sucker can set a demon up to run and then forget about it.
    "chkconfig whateverd on" is all it takes when you forget about it later
    on. Limiting a service through iptables, pam, and hosts.{allow,deny} is
    far harder than just turning it on.

    > 3) The mono-culture in the MS world, simply has no comparison in Linux.
    > the writers of viruses and trojans know that IE and probably OE will be
    > installed, and they act accordingly. That's simply not the case with
    > Linux, each distro is a little different, and even within the distro,
    > the user can easily chose to change the default, with far less effort
    > than it would take under MS-Windows.

    They're not that different. While yuu can't easily target a particular
    browser or mail client. Once you get something to run you can be fairly
    sure that the usual command line utilities are there. Remember we're
    talking about viruses exploiting user-stupidity here.

    > 4) In addition to the diversity of applications, there's a diversity of
    > libraries. While various versions of glibc work fine together, the
    > trojans and other malware we've encountered to date, are quite fragile,
    > not working when little things change, like stack allocations, and such.
    > Again, MS-Windows is far more rigid and consistant in these things. in
    > part, because of the nature of IPC in MS-Windows. They happily fling
    > binary data back and forth, that's frowned on in most *nix apps, who
    > instead push text back and forth, across more robust, and far less
    > rigid, interfaces. Trojans and other malware are usually quite fragile.

    So we will se statically linked viruses instead of dynamically linked
    ones.

    > 5) Linux distros don't upgrade by patch, they upgrade by replacing the
    > old app, completely, with the new one. It's a big difference. You don't
    > have to worry that patch b will open wide, the sec flaw that patch a
    > closed last week, sure, it's possible that the upstream maintainer
    > screwed up, but it's far less likely. They are juggling far fewer balls
    > in the air than their counterparts in Redmond.

    Actually I thought this was what was done on windows too, only that of an
    application conists of several files (dlls or whatever) only the changed
    ones are updated. I may be wrong ofcourse.

    > 6) With Linux, click on the attachment all you want, it's not going to
    > be executed unless you go *way* out of your way to make it do so. Unlike
    > MS-Windows...

    Fortunately this is still the case.

    But one day some well intentioned fool will add the capability to click to
    open according to filename ending to a mail client.

    Some other well intentioned fool will make *.sh files open with bash.
    Since clicking on a script is easier than typing it's name, not realizing
    the mail program uses the same file <-> program settings as the filesystem
    browser.

    Then anyone with a basic understanding of shell scripts could write one
    capable of mailing itself out.

    Such a script could even copy itself into any scripts it finds that the
    current user has write privileges to and silently keep doing that
    whenever a script is run until it's run by uid 0, which is when it
    installs a backdoor.

    If this happens on a system where users share scripts (eg in project
    folders) the script-virus could spread until it infects all user writable
    scripts on a machine. And if root executes only one of those

    > None of this means that Linux is invulnerable, or that it can't be
    > improved. But these, and other points, are some of the reasons that it
    > is *less* vulnerable than MS-Windows.

    I agree to that.

    > Consider this. The overwhelming majority of websites out there running
    > Apache, and despite having several rather nasty holes in Apache, or it's
    > modules in the last couple of years. Apache hasn't come even close to
    > the vile record that IIS holds in spreading malware. Apache is far more
    > common, the source code is out there for the black hats to study, and
    > yet it's IIS which craps all over the net.

    Because the black hats know they can use an IIS exploit for months before
    it's even known, and then for months before a fix exists. And then even
    for more months before all the unpatched machines are replaced with newer
    ones with a new version of windows.
    Basically cracking IIS may be harder because of the closed source, but it
    has a bigger "return on investment" :)

    I believe that apache has fewer holes than IIS (based purely on gut
    feeling) but the relative number of exploits can't be used to tell us if
    that's true.

    > While MS holds the vast majority of the desktops, and has for quite some
    > time, the server market is far more evenly distributed, yet still, it is
    > MS servers that are spreading this garbage, not the equally prevalent
    > Linux ones.

    Fortunately webservers are less prone to the stupid user syndrome. 

    -- 
NPV
"the large print giveth, and the small print taketh away"
                                Tom Waits - Step right up
  • Next message: Sukhbir Dhillon: "Re: Can I delete these safely"

    Relevant Pages

    • Re: Will Linux become as vulnerable as MS ??
      ... >> Linux, each distro is a little different, and even within the distro, ... > Then anyone with a basic understanding of shell scripts could write one ... >> Apache, and despite having several rather nasty holes in Apache, or it's ... >> the vile record that IIS holds in spreading malware. ...
      (comp.os.linux.security)
    • Re: Use Apache
      ... who posted Use IIS in an apache group... ... >>Great that you supplied your real email address. ... address after you begin receiving all the spam and viruses. ...
      (microsoft.public.inetserver.iis.security)
    • Re: multiuser permissions
      ... > Apache runs as user apache, ... > PHP runs within Apache in SAFE_MODE, which blocks joeuser's scripts ... > from opening any files not created by joeuser. ... Perl scripts can also, ...
      (comp.unix.admin)
    • Re: Need help on windows server 2003
      ... Doesn't make sense from a security point of view. ... Thus, the process that is creating the project on IIS would need to do it, ... >Scripts like ASP will not work until you enable it to ... >totally by design -- secure by default. ...
      (microsoft.public.inetserver.iis)
    • Re: First Microsoft Vista Virus - Ba-ha-ha-ha!!!
      ... >>> simultaneously claiming proof of concept viruses represent a disaster ... They are simply shell scripts that search your drive for other ... according to one slashdot poster this is the bash ...
      (comp.sys.mac.advocacy)
    Loading