Linux logo
top bar left/images/caspian/top-banner.jpgtop bar right
menu top
 
menu bottom
 
 
  The following was in response to an email which linked to an article suggesting that Linux was less secure than MS Windows. This was my response:


Oh no, no aneurysm's here -- it will take a bit more than a journalist looking for a story to make me start worrying.
But, of course I have an obligation to respond :)

This will be somewhat long, but important that everyone on this list reads it. It is designed to be a general overview of what parts of Linux are (or at least can be) more secure than Windows, and to show that in the open source security area our team management has nothing to be concerned about.


As the article states:
    > The fact is, neither one is inherently more secure than the other;
    > it all comes down to the skill with which the code is written and audited.
This is very true. It is also very dependant on the skill of the system engineer/administrator. Linux boxes can be insecure. Windows boxes can be insecure. In my opinion it is a lot easier to have a secure Linux server than a Windows server. This is due to many things, but one of the beautiful things open source gives you is freedom of choice. For every major component of Linux there are multiple groups of people who have written essentially the same code. For example, we could use sendmail, but because it has a track record of being insecure we use Postfix. Postfix is very well audited by respected developers and has never had any security vulnerabilities. On our team I have chosen to use well established software with excellent security track records. With Windows you only have one provider, Microsoft, who has a less than stellar security track record.

That aside, bugs are constantly found in both Windows and Linux software. This will never change. The real difference lies in a few things:

1) How likely is your system to be affected by a given issue?
    The Windows architecture is built so that even components that may never
    be used are required for normal operation. For example, even a stand-alone
    Windows 2000 server will require LDAP libraries even though they may never
    be used - and every Windows server requires Internet Explorer even though
    you will (hopefully) never use it for web browsing. What does this mean?
    It means that almost every vulnerability or bug that comes up on Windows or
    on a Windows subsystem will almost certainly require you to patch your
    server.

    Linux, on the other hand, can be installed with only the components required
    for the task at hand. That is one of they key security advantages of open
    source software -- unneeded components can be excluded at compile time, so
    the software doesn't just have unnecessary feature X disabled (like Windows),
    it isn't even compiled in to begin with! This completely avoids the scenario
    that sometimes occurs in a Windows environment, where a feature that was
    disabled for security reasons "magically" re-enables itself after a service
    pack or hotfix update.

    To illustrate this point, a basic install of Windows 2000 Server requires
    over 800 MB, while the installation used on our Linux bastions and relays
    takes just over 120 MB for the complete operating system, mail server, and
    required supporting software. Because of the extreme configurability of open
    source software, the vast majority of bugs found will not be relevant to any
    given system. This is highlighted by the fact that out of the sixteen
    security vulnerabilities mentioned in the CERT advisory, only one was
    applicable to our servers.
2) Can you easily mitigate the risk of any given vulnerability?
    The Linux world has several tools and methods for mitigating the damage that
    any given vulnerability may have otherwise allowed. Here are three:
    • You can "chroot" a process, which means you lock it in a directory when
      it starts, and it can't get out. This effectively means that even if a
      given program is vulnerable, and someone cracks into your server, they
      won't be able to do anything outside of that directory. Pretty much
      makes cracking in pointless huh? For the record almost every daemon
      on our Linux servers runs chrooted (yes, even my scripts do).

    • You can have services that start with root (administrator) privileges and
      then after they start drop those permissions permanently and continue
      running as a non-privileged user account. This means that even if someone
      cracked into your server they would only have the privileges of "nobody."
      Again, this reduces the damage an attacker can do to almost nothing, no
      matter how big the hole.

    • You can use the Linux kernel's "capabilities" mechanism to lock down
      certain actions from ALL accounts on the box, so that even someone with
      root privileges cannot perform these actions. For example, with these
      capabilities turned on, you can prevent anyone, including the system
      itself, from being able to launch certain DDoS attacks that require raw
      access to the networking subsystem.
    Windows, on the other hand, has nothing that I am aware of similar to either
    the "chroot" or "capabilities" security mechanisms. Windows does not have
    the ability to lock a process into a certain subdirectory. The best that can
    be done is to create a separate partition (drive letter), and try to lock the
    application's data files in there. This still lacks the effectiveness of
    chroot, however: the Windows application's .exe files still require certain
    system libraries that are in %SYSTEMROOT%. Windows does not appear to be
    capable of restricting the privileges of the built-in LocalSystem account.
    So effectively there is little that can be done to mitigate the damage an
    attacker can do once he elevates his privileges to that of the LocalSystem
    account.
3) How severe is the typical issue, and how frequent are the severe issues?
    In other words, what impact will this vulnerability have on an affected system?
    Admittedly, open source software has had more high profile vulnerabilities
    recently than usual. That was the whole point of the article Vance linked to.
    However, this is largely due to the fact that the open source community has
    been exceptionally active in auditing their code recently - an activity that,
    according to the article, is required for secure software. In the Microsoft
    environment we have no way of determining if they are actually auditing their
    code or not. Almost every security related hotfix that has been released by
    Microsoft was initiated by a third party discovering and reporting or exploiting
    a vulnerability.

    For example, the recent MDAC bug, which was discovered by Foundstone Research,
    allows for remote code execution, and affects almost every Windows computer in
    existence. In Microsoft's own words, "This vulnerability is very serious."
    This vulnerability, like eight other critical hotfixes released by Microsoft
    since Windows 2000 SP3, affect the core operating system and can't be ignored.

    This is not to say that open source software is not affected by this level of
    vulnerabilities! The difference is that the high severity vulnerabilities found
    in Linux are not related to the core OS and can therefore be ignored if your
    system is not affected. Furthermore, open source software has historically had
    these type of severe vulnerabilities fewer and further between - and when they are
    found they are usually mitigated by the procedures mentioned above.
4) How quickly are patches released?
    Microsoft claims on the linked site that they feel they are plenty responsive
    to security issues. In their defense they have been getting better. But I
    am subscribed to the BugTraq mailing list, and I can tell you from first hand
    experience that Microsoft *routinely* ignores security issues reported to them
    until an exploit is released to the public, at which point they usually get a
    patch released within a week or two. Linux on the other hand is famous for
    having patches to security vulnerabilities available within hours of discovery.

    This is a key difference between open source and closed source development
    models. With closed source software, the likelihood that *anybody* has audited
    the code is relatively low. With open source software, the exact opposite can
    be said -- the likelihood of *someone* auditing the code is high, simply because
    it's there. It's the difference between being "proactive" and "reactive".
    Microsoft is an extremely reactive software provider -- they don't do in-depth
    security audits, and generally only provide fixes for each specific bug that
    people have reported. Anything more costs money, and they're in the business to
    MAKE money, not waste it on frivolous security audits.

    In the open source world, money isn't an issue. Instead, it's the individual
    programmer's reputations that are at stake, and they take a personal interest
    in the security of their code. As a result, they spend the extra time to find
    security holes before they release code, and when a vulnerability is found, they
    not only fix that specific bug, but also any other occurrences of similar bugs
    throughout their code base.
5) What sort of impact applying a given patch have?
    This is almost a side note, and really doesn't have to do with security, but
    it is important to note this since we run so many customer facing servers.
    Most all Microsoft security patches require a reboot for them to take affect.
    This requires server down time. Furthermore, Microsoft hotfixes often do
    not have a back-out plan if needed. I have yet to find a Linux security patch that
    requires a reboot, or a patch that couldn't be easily rolled back.
6) Will the issue really be resolved by the provided fix?
    Many times vulnerabilities are found and Microsoft has released "band-aid"
    fixes for that vulnerability. I could go into great detail here (think IE
    cross site scripting bugs and such) but I will refrain. I have never seen
    a Linux patch that didn't properly fix the given underlying problem. The
    problem with closed source fixes from Microsoft is that you cannot tell if
    they were fixed properly or not, until someone actually exploits that hole
    again in a different way. In some cases old vulnerabilities even resurface
    in the future. There have been several incidents where Microsoft has released
    a patch for a vulnerability, only to reintroduce that bug with the next
    service pack or OS release.
Well, sorry for the huge reply! I don't mean to start a flame war or anything - but to help
make it clear that Linux can be very secure (arguably more secure than Windows) and we have,
and will continue to take the appropriate measures to keep our servers among the most
secure on the internet.

 
  
bottom left bottom right