Re: Windows vs Linux Security

From: David L. Johnson (david.johnson_at_lehigh.edu)
Date: 09/17/03 

Date: Tue, 16 Sep 2003 21:46:37 -0400

On Tue, 16 Sep 2003 13:12:03 +0000, n1po wrote:

> I believe that some Microsoft products, namely Outlook and Internet
> Explorer, and the two most exploited applications in any Windows
> environment. I believe that GUI email and browser programs for Unix also
> may contain some vulnerabilities. After all, the job of a browser is to
> display a web page and obey the commands therein, so a malicious bit of
> code may execute regardless of the OS as long as the code can be
> interpreted correctly (java, for example).

But because of what you have laid out, the vulnerabilities are not the
same. With a default user of what we could call "root", in Windows, the
standard is that all of these applications would have access to any file
on the system. This is a trojan-writer's wet dream (mixed metaphore
there, I guess). But every linux user is warned about running as root,
and most do not. If the browser is not called by root, it would not have
the access needed to do serious damage.

> Exploiting browser and mail
> clients seems more prevalent in Windows primarily because of the market
> share. It is likely that Unix exploits exists, but the number of deployed
> systems is so low that the effort to exploit is too great.

Besides, the standard isolation of user accounts (rather than it being
something that has to be set up specially) provides a good deal of
protection, as has been seen with the few linux trojans and viruses that
have surfaced.

> not telling. One can be seen as both white hat and black hat if they know
> that some exploit exists. However, since I don't wear a hat <g>, I can
> say that I believe a rootkit could do the job, but I have no experience
> with rootkits or their potential.

This depends greatly on how exposed your system is. I was once hacked by
some script-kiddie, but that was back when I was naively presuming that
there was safety in obscurity. Now, the only access to my machine is
through ssh.

>
>> On the other hand,
>> Microsoft has demonstrated that it can make an enormous unstable system
>> stable.

Have they?

> Agent, I don't have that problem with any of the other software I use. I
> believe, since this system has shared video memory, that I could avoid the
> problems by installing a video card with dedicated RAM, or I could install
> additional system RAM.

Why do you presume that shared video memory is the problem?

> configuration of the particular machine. I remember once many moons ago
> when Linux was just out of beta there were posts from people saying their
> uptime was several hundred days. In a comparison, I had Windows 3.1 and
> SLS 1.0 running alongside each other, and neither crashed or exhibited any
> problems for several months. Windows did crash first, eventually, and may
> have crashed sooner if I actually did anything on it.

There was a rumor that Windows 3.1 had a bug that would crash it if left
running for something like your 100 days. However, the consensus was that
that was an untestable hypotheses.

I just checked, and my machine has been up 40 days. This is hardly
unusual. Most linux boxes run for months, if not years, on end.

> installed it. Then I checked RHN and found nearly 30 patch files
> totalling nearly 150 megs.

Well, Red Hat has always been closer to the bleeding edge than, say,
debian. There is a price to pay for that, and that is lots of updates --
to stay on that bleeding edge. These are not all security patches, many
are simply package upgrades. With MICROS~1, the patches are only for
security updates. For package upgrades, you have to pay. 

-- 
David L. Johnson
   __o   | Let's not escape into mathematics.  Let's stay with reality. -- 
 _`\(,_  | Michael Crichton  
(_)/ (_) |

Relevant Pages

  • Re: The Problems With Linux
    ... > Here are the problems with Linux: ... programmers of UNIX, Open Source software, and Shareware. ... programs only available from BSD. ... BSD code is used by Microsoft in it's Windows NT/9x/2K/XP code. ...
    (comp.os.linux)
  • Re: What is a MVP?
    ... I made no claim about my person other than I worked as support for Unix ... Windows is like a platform. ... Do I consider you to be yet another Linux troll?.. ...
    (microsoft.public.windowsxp.general)
  • RE: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
    ... I've used UNIX, ... I've used/use Linux, ... > inefficient operating system - if most other Windows ... This is why I don't run POS operating systems. ...
    (Full-Disclosure)
  • Re: Linux no threat to Microsoft
    ... originally developed for Unix. ... Windows has't come on any of the machines I've ever purchased. ... Yet over those years Linux Market Share on the desktop has actually ... philosophy of Apple - later adopted by Microsoft. ...
    (comp.os.linux.setup)
  • Re: Where to start?
    ... > - NO knowledge of Linux or Unix ... Get the latest set of Slackware CD's. ... But don't hog tie yourself with the Windows way of doing things. ...
    (comp.os.linux.misc)