Re: How many vulnerabilities does Linux have compared to Microsoft?

Here's the wiki answer: http://en.wikipedia.org/wiki/List_of...mputer_viruses

Elsewhere on this forum there have been semi-heated debates on the topic -- searching should find the threads.

Re: How many vulnerabilities does Linux have compared to Microsoft?

Thanks, I found a lot of what I was looking for. I can't believe I didn't think to search 'windows vulnerabilities' here. Duh!

Re: How many vulnerabilities does Linux have compared to Microsoft?

The three most important steps you can take to prevent infections on your Linux installation are:

1) Only install applications from the repository, or from sites that are vetted. IF you have a question about a site or an application ask here. Never install applications from nefarious websites, even if they offer md5 sums for verification. IF you can't read their source code, verify it and compile the verified source you shouldn't touch it.

2) Linux is not hurt by emails arriving with malware binary executables as attachments. But, NEVER save a binary attached to an email, even if it comes from some one you know, then add the execute permission to the saved file and then run it. Those are three MANUAL steps which you should never do. Getting you to take those three steps is called "Social Engineering". Unlike Windows, Linux does not have an "ActiveX" control which automatically runs an executable attached to an email, so if you don't fall for social engineering you won't get email infections. Last year a bot farm was found that contained over 4,500,000 Windows zombies, most of them captured with simple mass mailings of infected emails. Also, a Linux bot farm was discovered last year. It had only 700 Linux zombies in it and it took the gang of hackers over 6 months of remotely hacking into Linux boxes not running firewalls and with poor user or root account passwords. Hackers prefer Linux boxes for command and control precisely because they can be made very secure. Their problem is cracking into them in the first place. Now, using Ballmer's figure that 12% of all desktops (as of Feb 2009) run Linux, it stands to reason that if Linux were as vulnerable as Windows one would expect to see at least 12% as many malware apps as Windows has, or about 300,000 per year. In 20 years less than a 1,000 have been identified and probably less than 25 have been in the wild and affecting any appreciable number. The last major infection of Linux that I can recall occurred about the same time that the "Code Red" infection of Windows took place, in the summer of 2001. It was caused by a commercial Linux vendor who tried to create a distro that, from the user's perspective, ran like Windows did at the time. So, when that distro was installed the user was set up to run as root, without a password. That distro was very popular in Eastern Europe and in the course of a couple weeks it was reported that as many as 25,000 Linux computers were infected (or it was 2,500 -- I can't remember )

3) Keep an active firewall running.

Generally, Linux users run AV products to protect their Windows running friends from a virus that they might pass on if they pass on an email.

Re: How many vulnerabilities does Linux have compared to Microsoft?

A reliable site, one I use for much research. Although their occasional propensity to release unofficial patches is worrisome, because they don't have near the resources for regression testing that vendors do.

"Patch Tuesday" (or "Patch Wednesday" for those west of the International Date Line) has a neat history. Microsoft used to release patches without much regard for potential system instability or the cost of customer downtime. A customer advisory board we built called the Chief Security Officer Council -- which I spent a considerable amount of time with -- helped us realize that a patch schedule scales much better for large enterprises. Occasionally you'll see a security patch release out-of-band, before the next cycle -- because there's evidence that a serious vulnerability, typically a remote exploit, is already wreaking havoc. The decision to release out-of-band is usually a joint one, made after the CSO Council convenes for a consultation weighing risk of attack against risk of unplanned downtime.

Careful about the assumption that open source = more secure (I know that's not actually what you wrote). More eyes looking at code isn't an automatic guarantee of better code; those eyes must be highly qualified at spotting bad code that could be exploited. Software testing is, in many ways, a more challenging discipline than software development.

Sage advice. But gad guys can MD5 their code, too, and I've known of "forks" claiming to be independent "improvements" that include some handy malware and also publish MD5s because, well, MD5 = secure, right? :P

Not only ActiveX, but any sort of executable can be perverted into malware. Fortunately, Windows's defaults have improved here; running unknown code now does require acknowledging at least one dialog -- the from-an-untrusted-source-are-you-sure prompt. If the code tries to make system-wide changes, the user will also have to answer the UAC consent prompt. Still, I like Linux's approach better: you have to work even harder and mark the download as executable. Higher bars = fewer opportunistic infections.

This is the same time I moved into Microsoft's Trustworthy Computing Group! Sheer coincidence, of course.

I really wish earlier versions of Windows did this by default. Microsoft lost its opportunity to teach people how to be secure by default in the critical early days of the explosion of personal computing.

Re: How many vulnerabilities does Linux have compared to Microsoft?

Thanks for all the info, guys. I think I already won the debate, but I don' think I had any converts. But at least some may take a second look at Linux.

One thing I learned about debating about anything, telling someone they're wrong comes with consequence, so I try to be civil as possible about it and try to agree with them whenever I can.

Also, I love hearing about stuff like this. I'm studying to be a Network Systems Administrator and knowledge like this will be very valuable to me.