You can run, but you cannot hide -- Report

[Babbler]

War of words over operating systems' safety

19:00 23 March 2005
NewScientist.com news service
Celeste Biever

Doubts were cast this week over the security of three major software systems formerly regarded as safe havens from hacker attacks and viruses.

But experts argue that despite the new findings, these systems are still more secure than their Microsoft counterparts because hackers overwhelmingly target the Windows software.

"The Windows problem still dwarfs these other problems because internet criminals know that there are an awful lot of clueless Windows users," says Graham Cluley, security consultant at UK anti-virus firm Sophos.

Until now, the open-source Firefox web browser, Linux-based web servers and the Apple Mac operating system OSX were heralded as more robust to hacker intrusions and viruses than Microsoft's Internet Explorer and the Windows operating systems.

So it came as a surprise to the security community when all three came under attack in two security reports, funded by Symantec - the California-based anti-virus software vendor - and Microsoft.

The debate was sparked Monday when Symantec, released its biannual Internet Security Threat report. The company found that between July and December 2004, 21 new vulnerabilities were discovered in Firefox while only 13 were found in Internet Explorer.

"This runs contrary to a trend seen in previous periods where nearly all browser vulnerabilities affected Microsoft Internet Explorer exclusively," says Symantec in its report.
Missing patches

A "vulnerability" is a programming error that enables an attacker or a virus to gain entry to a computer - allowing access to confidential information, the running of malicious programs or even crashing the system. However, once vulnerabilities are reported, they are typically patched by the software maker, removing the error.

A separate report which takes software patching into account, comes to the opposite conclusion. The report also published on Monday by Dubai-based ScanIT, found that in 2004, 98% of IE users were vulnerable to attacks because their systems were not patched, while only 15% of Linux users were at risk.

ScanIT founder David Michaux also points out that while Symantec found more vulnerabilities in Firefox, it found fewer severe vulnerabilities, just seven compared to IE's nine. "You will always find fewer vulnerabilities in IE, because they don't make their source code available. But the vulnerabilities you do find will be more severe," he says.
Trend to come

Symantec also reported that Apple's OSX had 37 vulnerabilities. Until now the only malicious code targeted at Apple was a malicious program called Repeno that was found online in October 2004. It was largely harmless because it had no way of spreading automatically, but Symantec predicts that Repeno is an example of a trend to come.

"It is now clear that the Mac OS (operating system) is increasingly becoming a target for the malicious activity that is more commonly associated with Microsoft and various UNIX-based operating systems," says the report.

Richard Forno, an independent security consultant based in Washington DC, US, who specialises in Macs, disagrees. "The Mac OSX part of the Symantec report was overblown," he says. "Cyber criminals want to go after the low-hanging fruit and the Mac OSX is still not as bug ridden as Windows."
Time lags

On Tuesday a further report highlighted vulnerabilities in the Linux operating system. The Microsoft-funded report was released by Richard Ford, a computer scientist at the Florida Institute of Technology, and colleagues at the Security Company Security Innovation, both in the US.

To his surprise, Ford, a loyal Linux user, found that an open-source Linux server contained 174 vulnerabilities, while the Microsoft equivalent had just 52. He also found that on average the time lag between reporting a vulnerability and having it patched was 44 days with the Linux server, but 31 with Microsoft

Cluley argues that this is irrelevant because hackers are still not interested in attacking Linux systems, partly because there are far fewer Linux users, and partly because the users Linux attracts tend to be more tech-savvy and so more likely to patch their own systems.

But he says that this could change in future. "There are a growing number of users for these alternative operating systems so we shouldn't be complacent," he says.

Michaux disagrees: "Unlike the Microsoft programs, the more people that use an open-source system, the more secure it becomes." This is because the open-source code is analysed by the security community as a whole, whereas the Microsoft code is only seen by the company's engineers.

Article.

 

[IbnSina]

Yeah, it all hinges on what one calls a "vulnerability". Most of these vulnerabilities (based on my experience with nessus and other system analysis tools) will simply comprise systems that identify themselves correctly to potential attackers, allowing them to understand what kind of system they are dealing with. The most recent Firefox vulnerability was actually more of a flaw in the IDN standard, which Firefox had implemented and IE had not.

It is certain that any unpatched machine will be victimized by crackers, but if you have a Windows machine, your life expectancy will be shorter.

 

[Shadylookin]

I have used mozilla on my linux system and I have never had problems, probably since everything is designed to attack microsoft.

 

[MarineCorps]

Sounds an awful lot like M$ "Get the Facts" Campaign targeting Lunix...

 

[Comraddict]

symantec is very windows depedent. I wouldn't believe them for a moment. Beside, if MS was happy with something like 50% market share, they would be only target od hackers.

 

[The Person]

I said it somewhere else that the reason all the bad guys on the net attack IE or Windows is because that way they can be sure to wreck a lot of havoc. That means that they don't care about any other browsers or OS'es. But it also means that the more people there are who switch to an alternative browser or OS, the more interesting those users get to to the bad guys. Those guys don't care about what people think about them, they think it's fun to destroy other people's hard work. And they won't change. The battle against them will never be won, but we can make sure we protect ourselves as best we can.

 

[Shadylookin]

I said it somewhere else that the reason all the bad guys on the net attack IE or Windows is because that way they can be sure to wreck a lot of havoc. That means that they don't care about any other browsers or OS'es. But it also means that the more people there are who switch to an alternative browser or OS, the more interesting those users get to to the bad guys. Those guys don't care about what people think about them, they think it's fun to destroy other people's hard work. And they won't change. The battle against them will never be won, but we can make sure we protect ourselves as best we can.

actually the more people that join free OSs like linux the safer it becomes because more people are there to help find and fix security issues

 

[Padma]

Not to mention that Linux/unix/*BSD was designed with multi-user security in mind. Which means that it is a *lot* harder to infect them.

 

[The Person]

So we Firefox users are still in danger? But you're right, open source software should be more safe, but also less safe, as the source code is public, which makes it easier for hackers and other bad guys to find the holes. And again, the more who use it, the more feedback, but also more interest in finding the holes.

So the best option will still be to make sure your OS, browser, antivirus and antispyware is updated.

 

[IbnSina]

No, the vulnerabilities in Firefox have a) been patched - get the most recent version; and b) the only critical vulnerability was in the IDN handling. IDN was done properly in Firefox (according to the standard), but that meant that some unscrupulous people could make phishing attacks by creating domain names that looked (in unicode) like trustworthy domains, but which had characters from non-ASCII character sets in them. Thus, the link that seemed to direct you to www.microsoft.com might actually have been pointed at www.micr%9Fsoft.com, or something like that. In short, it wasn't really a problem with Firefox, it was a problem with the premise behind the IDN system. Since microsoft has not modified IE significantly in three years, and since they ignore standards anyway, IE did not implement IDN, and so avoided this one problem.

 

[Chieftess]

Not to mention that Linux/unix/*BSD was designed with multi-user security in mind. Which means that it is a *lot* harder to infect them.

Even NSA developed a Linux OS once.
(OT - I loved how when I applied for a job there, they said (cheerfully), "When you work here, you're a moving target!". The interviewer and I were walking past a window when she said that...).

 

[Chairman Meow]

Even NSA developed a Linux OS once.
(OT - I loved how when I applied for a job there, they said (cheerfully), "When you work here, you're a moving target!". The interviewer and I were walking past a window when she said that...).

The NSA developed SELinux (which stands for Security Enhanced Linux). It isn't actually a version of Linux, but it's a security layer that is added on top of the usual Linux security model. The recent versions of Fedora (Red Hat) include it by default.

 

[Padma]

All the major distros *include* SELinux anymore.

And The Person: Yes, open source lets crackers look for the holes, but it *also* lets the "White Hats" look for holes,too, and fix them before they become a problem. Besides, if a Linux user follows the default setup instructions of most distros, even if a virus were actually able to be propagated on a Linux system, it would not be able to crash the whole system, just the user's data. Yeah, no fun for that user, but much easier to fix than reinstalling the whole system, for example.