Is Linux Really More Secure Than Windows?

Evangelists on both sides of the Windows vs. Linux aisle would argue to the death that their operating system is inherently safer. But what's really going on?
Corporate networks have been hammered in recent months with a slew of viruses and worms, nearly all of them focused on vulnerabilities in Microsoft Corp.'s software. IT managers running Linux may be breathing a sigh of relief that they're not getting hit, but are they really that much safer?

The answer is, yes and no. Or maybe the answer really is, for now.

Religious evangelists on both sides of the Windows vs. Linux aisle would argue to the death that their operating system is inherently safer. But what's really going on?

Each operating system has its own security strengths and weaknesses. But it's the flaws that have drawn particular focus. Windows flaws have been cropping up faster than some people can track, forget patch. But Linux has its own troubles with vulnerabilities. They simply don't get as much media attention. And that's because Linux isn't as ubiquitous as Microsoft's Windows. Windows flaws get more attention because nearly everyone -- from Fortune 100 security managers to their mothers and neighbors -- needs to know about them.

And many industry observers say it's Windows ubiquitousness that is getting it into trouble.

''Virus writers like to make a name for themselves and they do that by infecting the masses,'' says Steven Sundermeier, a vice president at Central Command, an anti-virus company based in Medina, Ohio. ''If you want to have a well-documented, wide-spread virus, you go after the Microsoft operating system. That doesn't mean that Linux can't be exposed to viruses. It just means it's not a real target at this point. But that could change.''

Sundermeier points out that Central Command has documented more than 200 viruses specifically targeting the Linux operating system. It sounds like something until you realize that the company has documented a total of approximately 75,000 viruses. And when you factor out the viruses aimed at DOS-based systems and Unix, you have 65,000 to 70,000 viruses specifically targeting the Windows side of things.

And vulnerabilities and viruses have become a critical concern for IT managers. Symantec Corp., an anti-virus and security company, recently noted that the number of reported software bugs skyrocketed 81.5% last year. That means the amount of time and attention managers have to focus on patching bugs and preparing to fend off malicious code has multiplied at the same rate.

All too often, patches aren't applied because the manager wasn't fast enough on his feet, other projects got in the way, that particular patch just got lost in the flood of patch notices or simply because the IT manager didn't have enough time. No matter the reason, when patches aren't applied, it can have devastating effects.

For example, despite the fact that Microsoft had sent out alerts in July for a vulnerability in its Remote Procedure Call (RPC), the Blaster worm that exploited the flaw still caught millions of people unprepared in August. And Sobig-F, which so far is the latest variant in the Sobig worm family, wreaked millions of dollars worth of havoc on networks around the world. The Sobig worm has been around for months, but companies are still being hit because they're not patched and ready.

All of this virus havoc is being unleashed on Microsoft systems.

More Overt Attacks on Linux

But as Linux grows in popularity, that may not remain the case. The more Linux systems out there, the bigger and better the target they create.

That may already be happening.

Linux was the most-attacked online server operating system in August, according to a report from mi2g, a digital risk assessment company based in London. In August, 67% of all overt digital attacks targeted Linux. Windows received 23.2% of the attacks.

But despite Linux being the target of the majority of overt, or known, digital attacks, virus attacks on Windows caused much greater financial damage. Thanks to the havoc that Sobig-F and the Blaster worms wreaked, August reportedly has gone down as the worst month in digital history for virus attacks. Last month, viruses, along with overt and covert hacker attacks, caused $32.8 billion in economic damages, according to mi2g. Mi2g also notes that the Sobig virus alone accounted for $29.7 billion of economic damages worldwide.

''Linux isn't more or less secure than Microsoft, in the respect that it's certainly possible to create viruses and worms that target Linux and to initiate intrusion attacks against Linux,'' says Chris Belthoff, a senior analyst at Sophos, Inc., an anti-virus company based in Lynnfield, Mass. ''If there is a market shift and more Linux is out there, it's almost a certainty that you'll have more malicious code targeting that platform. It simply would meet the virus writers' needs.''

Dan Woolley, a vice president at Computer Associates International Inc., says he expects to start seeing virus writers branching out when it comes to targets. And that's not good news for companies running Linux.

''I think we're going to see many more variances in attack scenarios. Things are going to change,'' says Woolley. ''I think Linux has been pretty protected. Linux has been the platform for the really technically savvy guys. They all go to conferences together, break bread, share a beer. Virus writers are less apt to go after them. Drinking buddies don't take on drinking buddies. It's a shared respect. It's much more fun to target the evil empire.''

But as Linux goes more and more corporate, Woolley thinks all bets will be off.

And Robert Richardson, editorial director of the Computer Security Institute, says IT managers who switch to Linux to avoid the virus attacks on Windows may be in for a surprise.

''I think they'll benefit from the relative obscurity of Linux for a while and they'll suffer fewer virus attacks,'' says Richardson. ''They'll also be making some trade offs in terms of availability of software. And security is about those tradeoffs.

''Is Linux inherently safer than windows?'' asks Richardson. ''No, not inherently. A simpler design typically means fewer vulnerabilities but I wouldn't go so far as to say it's safer.''






0 Comments (click to add your comment)
Comment and Contribute

 


(Maximum characters: 1200). You have characters left.