As I understand it, almost anything can be accomplished by a skilled hacker, however there must be a reason you never hear a Linux user complain about the problem.

I can't be sure, but I believe it is a combination of the tremendous skills of those who program our security and the fact that most of us are not worth the extreme effort to attempt penetration. That may be why we don't experience any security problems.

Personally, I don't trust very many, but I do trust those who care for and protect our machines on a daily basis. That doesn't mean it won't happen, but while you never hear of a Linux user being hacked, you hear of Windows users being hacked all the time. Consequently it makes sense to me to remain a Linux user and have empathy for those who are a better target for hackers.

You have to remember that it was a thief who stole the DOS program from Xerox in the first place. It was an ethical wimp who caused the need for extensive virus programs and spyware programs and adware programs, while Linux users do not even think much about those kinds of problems. And, of course, we do have sufficient applications to minimize that kind of junk when I, on rare occasions, happens.

And don't forget those unpaid specialist who help you on a daily basis in the various forums. Rarely they make a mistake, but do you ever hear them tooting their own horn, like the look-at-me braggarts from the competition. Given the choice, who would you prefer trusting, a known liar and his cohorts, or generous people who don't even require your thanks. (That might be something you should consider after getting help from a Linux forum anyway.)

I am grateful every day that I enjoy the benefits of Kubuntu. I feel safer than I ever felt when operating a Windows or Windows compatible machine.

In Ubuntu Linux; all of it's distribution flavors; the root account is disabled by default, and the user who initially installed the system is 'granted' root privileges "when required". In this way, you, as the system installer, are in control of the system, meaning, that when an action/application needs/wants/requires installing/writing/modifying contents of the root file system, a password dialog prompt is presented, and your password must be typed in and the return key pressed before any action can be taken. So, if an attachment (in this case) were to be malicious and written to affect a Linux root file system (very rare), the password dialog prompt would appear.

Now keep in mind, the above assumes that the root account is disabled; that it wasn't activated and isn't being used to log in with; a bad practice IMO, equivalent to playing Russian Roulette with a Derringer pistol .

But there are other problems that are platform independent like 'cross-site request forgery'.

One link:
https://en.wikipedia.org/wiki/Cross-...equest_forgery

Those that use a text only browser like Lynx should be safe.
But don't take my word for it, I'm convinced SteveRiley is more qualified

Root access is a bit of a red herring when talking about desktops really, because the whole desktop environment runs as your user, and therefore all of those programs have access to your sensitive information. If an attacker could make one misbehave, they could get that information.

Read some of the Ubuntu security announcements, they're full of stuff like this (example from 11th Jan):

This is all someone needs to pwn you really - for example they could download some script file from the attacker's server and run it as your user (e.g. download into ~/bin, chmod+x it, script.sh), the script could then scrape any passwords that are stored plaintext and your sensitive data, which it has access to because it's running as your user, and send it back to the server. Or, it could encrypt your files (like the cryptolocker malware on windows) and hold you to ransom.

However, it couldn't install software that affects the whole system (because that requires root, like Snowhog said), so it couldn't do something like turn your computer into a spambot by installing Postfix and sending loads of email.

However, there are also privilege escalation vulnerabilities discovered in the kernel quite frequently, like this one (this specific example was for the RasPi kernel, but there are many similar announcements for the main kernel - 06/01/2016)

So once an attacker can execute code as an unprivileged user (your login) they can try and exploit a bug like this to gain root if that's what they wanted.

The best defence against exploits like this (and one of the big benefits of using Linux) is that maintainers are very proactive about patching bugs, so it's easy to update to fixed versions. That doesn't mean there aren't any other bugs in the kernel/plasma that could be exploited, but it means that someone would have to have found an exploitable bug themselves, or bought it from someone else who found one, and written a piece of malware that could exploit it.

Generally that's not worth the time and effort, so it doesn't happen - the malware would be discovered pretty quickly (linux users generally pay quite a lot of attention to their machines) and developers would write a patch for the vulnerable software, everyone would update, and the malware is rendered inert. Waste of time, unless someone is targeting you specifically.

---

Servers are a different story entirely, since the point of the malware is probably to install some software and use the server for some other purpose like in my Postfix spambot example (requires root). That, or the attacker is after a database of user information, which they would probably get using SQL injection or something similar, where specially crafted requests to the server make it respond in an unexpected way, revealing sensitive information.

On a server, services like apache run as separate users (www-data in apache's case) and are users without shell access, so it's much more difficult to exploit them in the same way as I described for a desktop. The files they can read/write are deliberately restricted using file permissions and ownership.