Corporate networks have been hammered in recent months with a slew of
viruses and worms, nearly all of them focused on vulnerabilities in
Microsoft Corp.’s software. IT managers running Linux may be breathing a
sigh of relief that they’re not getting hit, but are they really that much
safer?
The answer is, yes and no. Or maybe the answer really is, for now.
Religious evangelists on both sides of the Windows vs. Linux aisle would
argue to the death that their operating system is inherently safer. But
what’s really going on?
Each operating system has its own security strengths and weaknesses. But
it’s the flaws that have drawn particular focus. Windows flaws have been
cropping up faster than some people can track, forget patch. But Linux has
its own troubles with vulnerabilities. They simply don’t get as much media
attention. And that’s because Linux isn’t as ubiquitous as Microsoft’s
Windows. Windows flaws get more attention because nearly everyone — from
Fortune 100 security managers to their mothers and neighbors — needs to
know about them.
And many industry observers say it’s Windows ubiquitousness that is getting
it into trouble.
”Virus writers like to make a name for themselves and they do that by
infecting the masses,” says Steven Sundermeier, a vice president at
Central Command, an anti-virus company based in Medina, Ohio. ”If you want
to have a well-documented, wide-spread virus, you go after the Microsoft
operating system. That doesn’t mean that Linux can’t be exposed to viruses.
It just means it’s not a real target at this point. But that could change.”
Sundermeier points out that Central Command has documented more than 200
viruses specifically targeting the Linux operating system. It sounds like
something until you realize that the company has documented a total of
approximately 75,000 viruses. And when you factor out the viruses aimed at
DOS-based systems and Unix, you have 65,000 to 70,000 viruses specifically
targeting the Windows side of things.
And vulnerabilities and viruses have become a critical concern for IT
managers. Symantec Corp., an anti-virus and security company, recently
noted that the number of reported software bugs skyrocketed 81.5%
last year. That means the amount of time and attention managers have
to focus on patching bugs and preparing to fend off malicious code has
multiplied at the same rate.
All too often, patches aren’t applied because the manager wasn’t fast
enough on his feet, other projects got in the way, that particular patch
just got lost in the flood of patch notices or simply because the IT
manager didn’t have enough time. No matter the reason, when patches aren’t
applied, it can have devastating effects.
For example, despite the fact that Microsoft had sent out alerts in July for
a vulnerability in its Remote Procedure Call (RPC), the Blaster worm that
exploited the flaw still caught millions of people unprepared in August.
And Sobig-F, which so far is the latest variant in the Sobig worm family,
wreaked millions of dollars worth of havoc on networks around the world.
The Sobig worm has been around for months, but companies are still being hit
because they’re not patched and ready.
All of this virus havoc is being unleashed on Microsoft systems.
More Overt Attacks on Linux
But as Linux grows in popularity, that may not remain the case. The more
Linux systems out there, the bigger and better the target they create.
That may already be happening.
Linux was the most-attacked online server operating system in August,
according to a report from mi2g, a digital risk assessment company based in
London. In August, 67% of all overt digital attacks targeted Linux.
Windows received 23.2% of the attacks.
But despite Linux being the target of the majority of overt, or known, digital attacks,
virus attacks on Windows caused much greater financial damage. Thanks to
the havoc that Sobig-F and the Blaster worms wreaked, August reportedly has
gone down as the worst month in digital history for virus attacks. Last
month, viruses, along with overt and covert hacker attacks, caused $32.8
billion in economic damages, according to mi2g. Mi2g also notes that the Sobig
virus alone accounted for $29.7 billion of economic damages worldwide.
”Linux isn’t more or less secure than Microsoft, in the respect that it’s
certainly possible to create viruses and worms that target Linux and to
initiate intrusion attacks against Linux,” says Chris Belthoff, a senior
analyst at Sophos, Inc., an anti-virus company based in Lynnfield, Mass.
”If there is a market shift and more Linux is out there, it’s almost a
certainty that you’ll have more malicious code targeting that platform. It
simply would meet the virus writers’ needs.”
Dan Woolley, a vice president at Computer Associates International Inc.,
says he expects to start seeing virus writers branching out when it comes
to targets. And that’s not good news for companies running Linux.
”I think we’re going to see many more variances in attack scenarios. Things
are going to change,” says Woolley. ”I think Linux has been pretty
protected. Linux has been the platform for the really technically savvy
guys. They all go to conferences together, break bread, share a beer. Virus
writers are less apt to go after them. Drinking buddies don’t take on
drinking buddies. It’s a shared respect. It’s much more fun to target the
evil empire.”
But as Linux goes more and more corporate, Woolley thinks all bets will be
off.
And Robert Richardson, editorial director of the Computer Security
Institute, says IT managers who switch to Linux to avoid the virus attacks
on Windows may be in for a surprise.
”I think they’ll benefit from the relative obscurity of Linux for a while
and they’ll suffer fewer virus attacks,” says Richardson. ”They’ll also
be making some trade offs in terms of availability of software. And
security is about those tradeoffs.
”Is Linux inherently safer than windows?” asks Richardson. ”No, not
inherently. A simpler design typically means fewer vulnerabilities but I
wouldn’t go so far as to say it’s safer.”