The following was in response to an email which linked to an article suggesting that Linux was less secure than MS Windows. This was my response:
Oh no, no aneurysm's here -- it will take a bit more than a journalist looking for a story to make me start worrying.
But, of course I have an obligation to respond :)
This will be somewhat long, but important that everyone on this list reads it. It is designed to be a general overview of what parts of Linux are (or at least can be) more secure than Windows, and to show that in the open source security area our team management has nothing to be concerned about.
As the article states:
> The fact is, neither one is inherently more secure than the other;
This is very true. It is also very dependant on the skill of the system engineer/administrator. Linux boxes can be insecure. Windows boxes can be insecure. In my opinion it is a lot easier to have a secure Linux server than a Windows server. This is due to many things, but one of the beautiful things open source gives you is freedom of choice. For every major component of Linux there are multiple groups of people who have written essentially the same code. For example, we could use sendmail, but because it has a track record of being insecure we use Postfix. Postfix is very well audited by respected developers and has never had any security vulnerabilities. On our team I have chosen to use well established software with excellent security track records. With Windows you only have one provider, Microsoft, who has a less than stellar security track record.
> it all comes down to the skill with which the code is written and audited.
That aside, bugs are constantly found in both Windows and Linux software. This will never change. The real difference lies in a few things:
1) How likely is your system to be affected by a given issue?
The Windows architecture is built so that even components that may never
2) Can you easily mitigate the risk of any given vulnerability?
be used are required for normal operation. For example, even a stand-alone
Windows 2000 server will require LDAP libraries even though they may never
be used - and every Windows server requires Internet Explorer even though
you will (hopefully) never use it for web browsing. What does this mean?
It means that almost every vulnerability or bug that comes up on Windows or
on a Windows subsystem will almost certainly require you to patch your
Linux, on the other hand, can be installed with only the components required
for the task at hand. That is one of they key security advantages of open
source software -- unneeded components can be excluded at compile time, so
the software doesn't just have unnecessary feature X disabled (like Windows),
it isn't even compiled in to begin with! This completely avoids the scenario
that sometimes occurs in a Windows environment, where a feature that was
disabled for security reasons "magically" re-enables itself after a service
pack or hotfix update.
To illustrate this point, a basic install of Windows 2000 Server requires
over 800 MB, while the installation used on our Linux bastions and relays
takes just over 120 MB for the complete operating system, mail server, and
required supporting software. Because of the extreme configurability of open
source software, the vast majority of bugs found will not be relevant to any
given system. This is highlighted by the fact that out of the sixteen
security vulnerabilities mentioned in the CERT advisory, only one was
applicable to our servers.
The Linux world has several tools and methods for mitigating the damage that
3) How severe is the typical issue, and how frequent are the severe issues?
any given vulnerability may have otherwise allowed. Here are three:
Windows, on the other hand, has nothing that I am aware of similar to either
- You can "chroot" a process, which means you lock it in a directory when
it starts, and it can't get out. This effectively means that even if a
given program is vulnerable, and someone cracks into your server, they
won't be able to do anything outside of that directory. Pretty much
makes cracking in pointless huh? For the record almost every daemon
on our Linux servers runs chrooted (yes, even my scripts do).
- You can have services that start with root (administrator) privileges and
then after they start drop those permissions permanently and continue
running as a non-privileged user account. This means that even if someone
cracked into your server they would only have the privileges of "nobody."
Again, this reduces the damage an attacker can do to almost nothing, no
matter how big the hole.
- You can use the Linux kernel's "capabilities" mechanism to lock down
certain actions from ALL accounts on the box, so that even someone with
root privileges cannot perform these actions. For example, with these
capabilities turned on, you can prevent anyone, including the system
itself, from being able to launch certain DDoS attacks that require raw
access to the networking subsystem.
the "chroot" or "capabilities" security mechanisms. Windows does not have
the ability to lock a process into a certain subdirectory. The best that can
be done is to create a separate partition (drive letter), and try to lock the
application's data files in there. This still lacks the effectiveness of
chroot, however: the Windows application's .exe files still require certain
system libraries that are in %SYSTEMROOT%. Windows does not appear to be
capable of restricting the privileges of the built-in LocalSystem account.
So effectively there is little that can be done to mitigate the damage an
attacker can do once he elevates his privileges to that of the LocalSystem
In other words, what impact will this vulnerability have on an affected system?
4) How quickly are patches released?
Admittedly, open source software has had more high profile vulnerabilities
recently than usual. That was the whole point of the article Vance linked to.
However, this is largely due to the fact that the open source community has
been exceptionally active in auditing their code recently - an activity that,
according to the article, is required for secure software. In the Microsoft
environment we have no way of determining if they are actually auditing their
code or not. Almost every security related hotfix that has been released by
Microsoft was initiated by a third party discovering and reporting or exploiting
For example, the recent MDAC bug, which was discovered by Foundstone Research,
allows for remote code execution, and affects almost every Windows computer in
existence. In Microsoft's own words, "This vulnerability is very serious."
This vulnerability, like eight other critical hotfixes released by Microsoft
since Windows 2000 SP3, affect the core operating system and can't be ignored.
This is not to say that open source software is not affected by this level of
vulnerabilities! The difference is that the high severity vulnerabilities found
in Linux are not related to the core OS and can therefore be ignored if your
system is not affected. Furthermore, open source software has historically had
these type of severe vulnerabilities fewer and further between - and when they are
found they are usually mitigated by the procedures mentioned above.
Microsoft claims on the linked site that they feel they are plenty responsive
5) What sort of impact applying a given patch have?
to security issues. In their defense they have been getting better. But I
am subscribed to the BugTraq mailing list, and I can tell you from first hand
experience that Microsoft *routinely* ignores security issues reported to them
until an exploit is released to the public, at which point they usually get a
patch released within a week or two. Linux on the other hand is famous for
having patches to security vulnerabilities available within hours of discovery.
This is a key difference between open source and closed source development
models. With closed source software, the likelihood that *anybody* has audited
the code is relatively low. With open source software, the exact opposite can
be said -- the likelihood of *someone* auditing the code is high, simply because
it's there. It's the difference between being "proactive" and "reactive".
Microsoft is an extremely reactive software provider -- they don't do in-depth
security audits, and generally only provide fixes for each specific bug that
people have reported. Anything more costs money, and they're in the business to
MAKE money, not waste it on frivolous security audits.
In the open source world, money isn't an issue. Instead, it's the individual
programmer's reputations that are at stake, and they take a personal interest
in the security of their code. As a result, they spend the extra time to find
security holes before they release code, and when a vulnerability is found, they
not only fix that specific bug, but also any other occurrences of similar bugs
throughout their code base.
This is almost a side note, and really doesn't have to do with security, but
6) Will the issue really be resolved by the provided fix?
it is important to note this since we run so many customer facing servers.
Most all Microsoft security patches require a reboot for them to take affect.
This requires server down time. Furthermore, Microsoft hotfixes often do
not have a back-out plan if needed. I have yet to find a Linux security patch that
requires a reboot, or a patch that couldn't be easily rolled back.
Many times vulnerabilities are found and Microsoft has released "band-aid"
Well, sorry for the huge reply! I don't mean to start a flame war or anything - but to help
fixes for that vulnerability. I could go into great detail here (think IE
cross site scripting bugs and such) but I will refrain. I have never seen
a Linux patch that didn't properly fix the given underlying problem. The
problem with closed source fixes from Microsoft is that you cannot tell if
they were fixed properly or not, until someone actually exploits that hole
again in a different way. In some cases old vulnerabilities even resurface
in the future. There have been several incidents where Microsoft has released
a patch for a vulnerability, only to reintroduce that bug with the next
service pack or OS release.
make it clear that Linux can be very secure (arguably more secure than Windows) and we have,
and will continue to take the appropriate measures to keep our servers among the most
secure on the internet.