Thanks, I'm surprised by those values. They just don't correlate with "Linux folklore"!

So, how come Linux doesn't get "pwned" sooner in those Pwn2Own competitions?

Ignoring reality can be very convenient, especially when it interferes with your biases.

A lot of Linux vulnerabilities have low CVE scores. Low CVE score -> low risk -> litte benefit -> losing a hack competition. Again, think back to value. In Pwn2Own, you want to do something spectacular. DoSing a box does not qualify. Wiping the floor with Chrome using a chained attack? Spectacular!

Isn't it just first to gain root wins? Of was that only the first few competitions?

About 10 years ago, when Linux first started to be noticed and began making inroads into movie production, banking, and dominating the web servers, an AV software house, Kapersky, cited Symantec as saying that Linux had over 400 viruses. That made me curious because the year before I traversed their online database and found a total of about two dozen, of which only 6 had made it into the wild. The biggest was an Apache compromise that infected about 5,000 computers in the Balkan states. They were mostly RH and being run as root. The rest were of low infectivity and easy removal, AND, found on two or fewer machines. Amagine the luck of finding half a dozen viruses when they were on two or fewer machines! For several years, beginning back then, Kapersky had an annual scare-a-thone for new Linux users, fresh from Windows, and offered them "protection" with a Linux AV product. I haven't seen a Kapersky scare-a-thon in quite a while.

Anyway, I went to that database and found that they had changed it significantly. Before, I could search for Linux (or Windows) malware and find all of them listed on one scrolling page, which included the princial metrics: seriousness, removability, and infection numbers. The second time I searched it I had to drill down on EACH putative Linux virus several pages, to find those three metrics. I spent half a morning drilling down on about 125 of them. ALL, except the dozen or so I had seen before, were jpeg viruses, identical to the Windows version except that the word "linux" was added to their names.

This morning I browsed McAfee's virus listings. Search for "Linux" and you'll get 292 listed. They go back 15 or more years. Drill down one page and you get all the nitty-gritty. Search for "Windows" and you'll get four. Search for "Microsoft" and you weill be presented with 192 listings.

I also went to Symantic. They've returned to listing all their malware on one long, scrollable list containing 892 items. Drill down on one and you get the dope. HOWEVER, they do not say which OS the risk is associated with. You have to click the technical tab and read it to conclude, by the discussion, what OS is involved.

Then I went here: http://www.cvedetails.com/vulnerabil...ux-Kernel.html to look at the CVE for the Linux kernel.
It lists 232 going back to 1996. Their scores range of 7 to 7.9.
I went to the National Security Database. They listed 4,182 for Linux and 6,903 for Windows and Microsoft.

Like most things I see in the computer industy, and elsewhere, you pay your money, take your choice, and get the truth you want.

Great post. Whether or not something is a "threat" totally depends on how it's calculated. Anyone who runs Linux as root all the time is committing a major security gaffe. I was wondering how on earth they could find vulnerabilities when you have to type your password in any time you install anything. I used to do computer programming some years back in Windows and have considered doing it again for Linux. I never wrote viruses or other malware, but I did understand enough to have been able to write a Trojan if I had wanted to. You certainly could write a Linux-based Trojan and disguise it as an app, but you would have to fool people into installing it. It could not replicate and spread just from being on your PC. Such an app could never make it into the repositories. I make it a policy only to install from the repositories unless there's an app that I really trust. If there were a crooked Linux app on a web page awaiting download from unsuspecting users, word of it would spread in the community.

I went ahead and installed Clam Antivirus in Kubuntu. I run a precautionary scan from time to time. So far it's never found any Linux-based malware. It did detect a Windows-based piece of malware one time, one that would not run under Linux. I've also installed NoScript into Firefox. It blocks scripts from running on web pages. It annoys me that some webmasters write scripts to automatically run without your permission. Most of the time NoScript just protects me from crappy scripts that run badly and crash Firefox, but it is conceivable that someone could create a browser-based piece of malware, so NS protects just in case of that. I only turn on scripts for web pages that I know I can trust. There's another nice Firefox plugin named WOT for Web of Trust. It rates sites for their trustworthiness. You can see the ratings both in a list from a search engine and in an icon in the browser itself if you're on the page. It pulls up a warning before it allows you into a dangerous site. Great utility. Most really bad malware on web pages would be written for Windows and hence would not run on your Linux PC, but if someone is crooked enough to set up such a page, I don't want to go to it anyway, just in case.

In other words, I'm being security conscious, despite using Linux. And I'll be doubly security conscious for any Windows-based apps I intend to run under VirtualBox. They'll be blocked from Internet access, except for Quicken. And even Quicken is only allowed net access for short periods of time. I don't intend to install much Windows software, but if for some reason I need to download and install something, I'll download it in Kubuntu and scan it with Clam. Then I'll copy it over to my share folder and scan it in Windows with Kaspersky. I guess if I really wanted to be cautious, I could boot to the Kaspersky boot DVD (a Linux distro) and scan it with that.

It would be interesting to see if malware writers could penetrate any Linux PC in which the user is running everything in non-root with protection plug-ins in Firefox and who only installs from the repositories. That would be a tall order. I won't say it's impossible because you don't want to let your guard down with these criminals, but it would be an extremely difficult task, far more difficult than spreading malware to a Windows PC, which by default runs in root. Tricking a Linux user via a social deception like a phishing scam seems more likely.

I was partially successful in tracking down a posting I made at LinuxToday several years ago. The first part of the first sentence was in the subject line, which wasn't included in the post itself. I believe it began with "I have searched anti-virus databases ..."
Here is one of the two prior posts:
and another one:
And, a comment from 2009, responding to an analogy posted by another reader:

GreyGeek@

Here's a 'blast from your past' for you. The year: 2003

[huskerlug] Re: antivirus

Pwn2Own has moved beyond that now.

Sure it's possible. Running as a normal user, whether in Linux or Windows, does not provide complete protection. It does limit the malware's ability to do harm. If the malware were running as root/administrator, then the malware can gain complete control and damage the operating system. If the malware were running as standard user, it can still exfiltrate user information, modify user data, change user configuration, delete user files.

These are different metrics. Kaspersky, McAfee, and Symantec are reporting various flavors of malware. Because there is far more Windows-based malware in the wild, the Windows numbers on these searches will be higher.

CVE tracks all reported vulnerabilities, regardless of whether there exists a malware exploit for them. It is interesting to note that the number of high-scoring vulnerabilities for the kernel is indeed low, as you mention. The total count for all scores is 1,143.

These numbers sound like aggregate counts. Is the Linux number comprised of kernel plus distributions, and is the Windows/Microsoft number comprised of all versions?

Just out of curiosity, I booted to the Kaspersky rescue disk, updated its antivirus definitions, and scanned my entire hard drive. I have Kubuntu, plus two installs of Windows. I have the original Windows 7 Home install, which I rarely use, on its own partition. When this thing boots, Grub gives me the choice between Kubuntu or this Windows install. After Kubuntu boots, I have the choice of running Windows 7 Ultimate under VirtualBox if I want to. I usually work only in Kubuntu, but sometimes I run Win 7 under VB to run the programs I've described, and Win 7 is usually blocked from the Internet.

Anyway, the Kaspersky rescue disk scan found no malware. That shouldn't be a big surprise since I use good security practices. What I do wonder is if the Kaspersky boot disk scan does actually scan my VB install of Windows 7, since that one is not actually on its own partition. I don't completely understand how VB works, but it somehow simulates a partition for Windows.

A virtual machine is a pile of bits that look and feel like a real machine, but only while the virtual machine manager is running. A scan running on the bare metal will not be able to detect that this pile of bits represents a computer.