Linux vs. Windows viruses: a rebuttal to a rebuttal

Scott Granneman of SecurityFocus wrote this piece in The Register explaining why Linux is less vulnerable to viruses than Windows. Pete Sergeant of Virus Bulletin offers this rebuttal. Unfortunately, it’s full of misrepresentation and factual errors. I’m no security expert but here are my problems with the article:

“The single biggest security issue facing Linux users at the moment is the misconception perpetuated by highly vocal advocates that Linux is somehow impenetrable to security-based attacks, and in particular, viruses and other malware.”

Granneman never claims that Linux is impenetrable to security-based attacks, only that it is less likely to spread or be damaged by email viruses.

“According to F-Secure, the bot-net created by Linux/Slammer reached around 14,000 machines. Compared to the number of infections caused by some Windows worms, this may seem quite small, but this number is by no means trivial.”

Again, no claim of impenetrability was made, and 14,000 is indeed trivial when compared to Windows infections. This statistic pretty much proves Granneman’s point: Linux viruses are less widespread.

“The fact that the author draws attention to this is mildly surprising when he later points out that Mozilla Mail uses Gecko to render HTML email – like all software, Gecko (Mozilla’s HTML renderer) has also had its fair share of vulnerabilities which could conceivably be exploited for similar results.”

Sergeant ignores Granneman’s response to this, which is that Linux is not a software monoculture like Microsoft. Gecko vulnerabilities are less significant than IE vulnerabilities because Gecko’s market-share in the Linux world is far less than IE’s market-share in the Windows world.

“Furthermore, the vulnerabilities in Outlook and IE all had patches or work-arounds available for them before exploits for them were included in viruses.”

Untrue. See BubbleBoy, badtrans, the Klez family.

“It wouldn’t be sticking one’s neck out too far to suggest that Outlook enables the execution of attachments straight from the mail client due to user-demand.”

Microsoft has made it harder to open attachments straight from the mail client, despite user-demand.

“As well noted, software makers aim to give users a hard-work-free environment – to suggest that software developers won’t follow suit on Linux is wonderfully disproved by Lindows, as mentioned by the author of the original column.”

As Granneman mentions, Lindows is the only major distribution making these blatantly poor security decisions. To suggest that this means that the makers of Mozilla Mail, KMail, mutt, and Evolution are going to make their programs automatically open attachments is ridiculous.

“What’s important to users is data. Reinstalling system binaries is as simple as sticking in the CD the system was installed from. Recovering data that hasn’t been backed up (and even fewer people make hourly backups than the tiny number of people who actually make nightly backups) is near impossible.”

This is a nice piece of FUD. Sergeant seems to be suggesting that Windows viruses destroy system data, easily restored from system disk, while Linux viruses destroy user data, unrecoverable without a backup. Of course, Windows viruses can damage BOTH system and user data, while Linux viruses can damage ONLY user data. What do you prefer, viruses that can hose your entire system, or viruses that can only effect your personal data?

“I can’t be the only person who, the first time I installed Linux and had little thought for security, decided I would login as root and stay that way.”

All modern Linux distributions require you to create an unpriviliged user on install and warn you about the security risks of running as root. This is far more than Windows does. I’m willing to bet that the percentage of Linux users running as root is far smaller than the percentage of Windows users running as Administrator. This again proves Granneman’s point: that Linux encourages good security practices by design while Windows does not.