Why Linux Will Never Suffer From Viruses Like Windows - HotHardware

Why Linux Will Never Suffer From Viruses Like Windows

36 thumbs up

There seems to be a recurring phenomenon in the technology press, where any trojan that affects Linux or Macs becomes front page news. On the other hand, trojans that affect Windows are mostly ignored, perhaps because this is considered to be the normal state of affairs.  

There are two common statements made in the discussions of these rare events:

  • No operating system will ever be secure from Trojans.
  • Linux/Mac only have fewer viruses because no one uses them.


The first statement is almost correct, whereas the second one is a flat out myth in my opinion. Let me explain, and I’ll listen if you still disagree after reading the following in its entirety.

1.  No operating system will ever be totally secure from Trojans... but only as long as they allow anyone to write un-sandboxed software for it.

If users have the ability to run anything, they can also install anything they are tricked into running. Anyone can trick people into running a script to format their drive on any operating system... if the user is gullible enough to click through the prompts and enter the admin password. There is only one way around this: Don’t let the users run anything they want!

Take the XBox 360, for example.  It’s actually a full fledged computer, with huge marketshare, running a Microsoft operating system. Yet, with all these compounding points of vulnerability it has no known trojans floating around in the wild. Why? Because full system access is restricted to established companies with a clear chain of responsibility. Users can’t run unsigned software on the system, and even with XNA indie devs get only crippled sandbox access.

Apple’s taking this same approach with their Mac App Store. Apps delivered through the store must run in a sandboxed environment. Microsoft is also doing the same thing with their Windows 8 app store. If devs want to create their own apps with full system access, they won’t be able to play in these ecosystems.  Of course, Apple and Microsoft still let their own apps, the ones devs will be competing against, run with full system access (look for anti-trust lawsuits here later).

After “Secure Boot” (i.e. restricted boot) is prevalent, and the operating systems are locked down to not allow anyone to sideload any non-OEM software, we could be completely free of trojans and viruses.  That might be good for the average level of system security, but it would be a horrible blow to innovation, competition, and the indie/hobbyist developers.

2. Does system adoption directly correlate to an increased likelihood of viruses / trojans? No. Not in my opinion. There are many reasons Linux systems have fewer viruses, and market share is only one factor.  I’ll address these from the Linux perspective. On the Mac side of things, several of the points don’t apply, as Apple has taken free software and brought it into its closed, walled garden.

A huge percentage of Linux software is installed from signed repositories:

1) The downloads themselves are cryptographically signed.

When a user downloads software and drivers for Windows, they’re typically doing it from many different websites on the internet, and trusting that the admins of every one of those sites is competent and has done their due diligence to implement the proper security.  At the time of the download, there is no check to verify that the file the user is getting was actually created by a trusted source (and not a hacker that has pwn’d the site) or is being served by some man in the middle.

On Linux, with few exceptions, the hardware drivers are also included with the kernel. As for software, users typically download that from only a limited set of distro-owned repositories.  All software is delivered in installation packages that are cryptographically signed and those signatures are checked at installation time.  If a package has been replaced with a hacked version and was therefore not signed with a trusted cert, users will get a big fat error warning them of that.

2) The repositories (“repos”, for short) keep all of the software up to date, not just the kernel or things made by the distro creator.

When a security flaw is found in a Windows application, the vendor will usually put an update on their website.  With the exception of a few MS partners that have their drivers on Windows Update, it is up to the user to go discover that and update their software.

On Linux, security issues can be raised and patches created by any entity, not just the original software author.  These updates are applied and pushed into the repos for all applications.  Users become aware of it almost immediately - as most distros check regularly and prompt users to click a button to update the app.

I finally found a trojan! It's a Windows trojan in my Junk email folder, that doesn't work on my Linux box.

More than 99% of the software is open source:

It’s not unreasonable to wonder “How does having the source code available for any nefarious hackers to peruse, make software more secure?”.  The answer can be summed up in something Eric Raymond said about 13 years ago:  “Given enough eyeballs, all bugs are shallow”.

In the Windows world, we are trusting the vendor to have done the due diligence to investigate their own code for buffer overflows and other exploitable flaws. No one else has seen the code, so automated software source scans/reviews are impossible.

In the Linux world, there are dozens of companies and security researchers that constantly run scans over the entire ecosystem of software in their repositories - not just the software they’ve developed themselves.

Open source code also tends to lend itself to re-use.  In the Linux world, devs are not even going to be tempted to go implementing a security-centric feature like SSL libraries themselves, when there are perfectly working ones available for their open source apps to use for free.  Having that code open, such that they can step their debugger into and fix any underlying bugs themselves, is a great asset.

On Windows, there’s a reinforcement of the “not invented here” mindset as apps re-implement the wheel for their closed-source project in order to avoid paying other proprietary software developers for a decently vetted utility library. A Linux distribution (distro) is more than just Linux. Linux is the kernel, and many of the other components are part of the GNU environment. Common packages (ex. Apache web server) are used in other open source operating systems, including BSD. And, in case you didn't know, the BSD guys are kind of nuts about security. So, these components have been scrutinized with a hundred fine toothed combs.

Combine the open-source nature of Linux with the repository system used for software distribution, and anyone can see why Linux exploits have shockingly short lifespans:  When a 0-day exploit is found, the geeks rush to see who can come up with the best fix (since everyone has access to the source), and it’s pushed into the repos and out to everyone immediately.

Linux distros are diverse:

Successful trojans rely on some bug or flaw to exist, in order to gain elevated privileges. (I know:  duh, right?) On Windows, malware authors can be pretty sure that the kernel bug that exists on their Windows 7 box also exists on your Windows 7 box (if both are up to date).

On Linux, these would-be-hackers would be extremely lucky if two different distros are running the same kernel  -- much less the same patch-sets -- and maybe if they were built with the same compile options.  The same bugs do not exist everywhere, which makes Linux a less viable target. It's still an attractive target (since a large percentage of the always-on servers on the Internet run it), it's just not as easily exploited at the OS level.

So, the conclusion is obvious:  Even if they had the exact same market share, it is extremely unlikely that Linux would ever have the same number of exploits as we see in closed-source ecosystems such as Windows. This is a direct result of the open nature, which allows for innumerable companies and hobbyists to access and maintain all portions of the system--a feature that simply can't be replicated in proprietary operating systems. Linux will always have more eyes looking through the code to make it secure, than there are eyes looking through the code to exploit it.

I welcome any intelligent discourse on the topic, even if you disagree with me.

Article Index:

Prev 1 2 3 4 5 Next
+ -

Au contraire, MadPhil. I know for a fact my school logs logins in an SQL database. With one user account. From a VBS script. *tap tap tap*... 'oops' just wiped everyone's login history.

+ -

Can you name ANY bios tool that doesn't require you to type the previous password before doing any change ?

Yup, the BIOS Reset Jumper on the motherboard does that quite handily.

+ -

Very nice article and so true. Market share is certainly a factor but not the end all and be all.

+ -

Good point, Ive always been a big supporter of open source software, and i really do hope linux takes hold as a major OS.

+ -

Yes. Great article. I can add also that since most software for Linux is free that users are downloading legitimate copies of Gimp and Kdenlive instead of an infected Torrent version of Photoshop or Adobe Premiere.

+ -

Great point, DRoss. I wish I had thought of that one.

+ -

Not really, even on Linux people want to use Photoshop. It's not like open source can replace all the non-free software. Development of really good programs/apps takes time and money and that's hard to do Open Source.

Really, it's been years and yet there's no really good audiophile programs or a real alternative to Photoshop, among other examples. It's why people keep on trying WINE and VM solutions.

Even the move with Valve to put Steam on Linux is not going to be any more free than the Windows version.

DRM, software pirating, etc are all things mainstream OS users will have to deal with regardless of which OS they use!

+ -

>> Not really, even on Linux people want to use Photoshop

Nope.  I use Gimp.  Free, and does everything most people want.

I have more audio programs than I can shake a stick at, I don't know what 2004-thing you're thinking of.

Software piracy isn't going to be a big problem in Linux, because there's a free solution that is good enough for pretty much everything:  LibreOffice, Inkscape, Audacity... it's not worth the Linux users time to pirate software when there's a free solution with a one-click install right in front of him.

Pirated games?  Sure, I'll wager there'll be a few.  But, the vast majority of Windows/Mac trojans are going to be found in pirated versions of the OS or productivity suites... so the games probably will never be a big deal.  If Valve's smart, they'll do like android and run everything under a separate user account where the games can't even screw with any directory outside Steam.

+ -

Sorry but I do use Linux, along with OSX, Windows, Android, and iOS. I'm not picky! I just know better to think that any one of them is invulnerable or in any way perfect. All OS have their strength and weaknesses.

Linux has some good defaults but it still requires a good setup and careful users.

While you obviously don't use Windows if you think it's still easy to do unsophisticated attacks. Drivers like the video drivers have been sand boxed since Vista. Along with a lot of security features that's been added over the years.

The majority of Attacks on Windows are Trojans, not viruses!

So it's mostly user error and things like not all users necessarily take advantage of those security features, like many insist on always logging in as administrator instead of a limited account even if they never really need admin privileges.

Also you're assuming things like Java actually has to be installed on Windows just like Linux. So either way user permission is required.

Windows 8 Modern UI brings in the latest security improvements, like all modern UI apps run sand boxed just like Linux. Secure Boot, etc are all enhancing Windows security higher than it's ever been before. The new MS App store will make it a lot harder to attack users through apps, etc.

While like it or not though Gimp is no replacement for Photoshop, sorry but I've worked as a graphic designer and theirs no real replacement for Photoshop. Gimp is more in the class of something like Photoshop Elements, Photoshop features but not the same as the full program.

There are also no really good audio editing programs for Linux.

Really, check out the "Why Linux Sucks | LFNW 2012" (part of LinuxFest North West) on youtube. It covers what Linux still needs to overcome and it's made by pro-Linux people!

+ -

>> While you obviously don't use Windows

I've used it every day in my professional work for the last 20 years, and been writing software for it all that time..

>> Gimp is no replacement for Photoshop,

For the majority of us, it is. It's just not a replacement for everyday professional designers that need that final 5% - and who probably own Mac's (and therefore have OSX) for that type of work.

>> There are also no really good audio editing programs for Linux


>> Really, check out the "Why Linux Sucks | LFNW 2012" (part of LinuxFest North West) on youtube. It covers what Linux still needs to overcome and it's made by pro-Linux people!

I'm very familiar with Bryan's work, having been a long-time viewer of The Linux Action Show. He gives that talk each year to show the progress. You should watch the talk he gave afterwards, called "Why Linux Does Not Suck (Even A Little)".

Prev 1 2 3 4 5 Next
Login or Register to Comment
Post a Comment
Username:   Password: