Is Linux more secure than other operating systems (OS)? Well, the answer,
like so much in IT today, is: it depends.
It depends on who you talk to; it depends on configuration; it depends how
well security policies and best practices are followed by staff and admins;
it depends on where an OS is being used and its exposure to hackers; it
depends on a lot of things.
If you take just the raw data comparing vulnerabilities issued for Windows
Sever 2003 v. RedHat’s Enterprise Linux 3.0, currently the most popular
distribution for Web servers, then Linux is by far the big loser, said Herb
Thompson, Security Innovation’s director of Security Technology and
Research.
“If you just count raw vulnerabilities in each of those (Web servers) that
were fixed in 2004 … in Windows 2003 we get 52 vulnerabilities, if it’s
serving in a Web server role,” said Thompson. “If I take the minimum RedHat
configuration (kernel, Apache, PHP and MySQL), which is the base system to
be able to serve up a dynamic Web page, then I get something like 132.”
But raw numbers only tell part of the story. How many servers are affected
by the exploit? How much data is corrupted, stolen, lost or viewed by an
intruder? How much does each vulnerability cost to patch, etc. All have an
effect on the perceived security of a given OS.
And that perception may be more what the security argument is all about
today than the actual vulnerability of a given OS.
Thompson recalls that in a recent client meeting a CIO was complaining about
the necessity and regularity of the Windows security patching his staff did.
When asked how many Linux patches his staff was required to install in a
given year, the CIO had no idea. As it turned out, according to a Linux
admin at the table, Linux was patched far more often than Windows.
This came as a surprise to the CIO, who basically was lamenting the fact
that Windows is an insecure platform compared to other operating systems.
“When you talk about vulnerability you have to look at the workload and the
points of attack,” said Bill Weinberg, Open Source Architecture specialist
and Linux evangelist with the Open Source Development Labs. “Some of the
assumptions made that Linux is always more secure than Microsoft or other
operating systems — any generalization should be examined carefully.”
But being OSDL’s Linux evangelist, it’s no surprise Weinberg believes, if
configured correct, Linux’s underlying, component-based architecture makes
it more secure than Windows.
However, because Linux is somewhat more complex to configure and is less
user- and application-friendly when configured for secure operation mode,
many admins provision Linux in a less secure format. Which, of course, can
negate any inherent security superiority Linux possesses out of the box.
“Your talking about religion here,” said Charles Kolodgy, an analyst with
IDC. “[G]enerally it does come down to the viewpoint of the user and how
much you want to do yourself and how much you want someone else to do it. I
can just as easily change my own oil, but I go and get it done to save time.
I can patch my Linux or I can have Microsoft patches.”
There are other arguments that need to be looked at when considering
inherent OS security. One is ubiquity, the other is open source vs. closed
source, and a third is latency, or days-of-risk.
Popularity Contest
Many people believe that because of Windows’ popularity, it comes under
attack more often and therefore is regarded as less secure. But with Linux
now being used in millions of PDAs and Web servers around the globe, it also
is a tempting target.
According to Weinberg, something like 20% to 30% of the total sever market
is Linux-based. And, according to Con Zymaris, CEO of Cybersource, an
Australian Linux/UNIX consultancy, 67% of the world’s Web pages are served
up on Apache/Linux, not to mention all the Linux-based mail servers.
With all these instances of corporate Linux in use, arguing security on the
basis of popularity is a non-starter. Zymaris, like Weinberg, believes its
underlying architecture makes Linux more secure.
“All these data points imply that Linux and open-source platforms constitute
the lion’s share of Internet-exposed computing infrastructure globally,”
said Zymaris. “This would therefore put ‘Paid’ to the concept that Linux
isn’t attacked because it’s not high-profile enough on the Internet.”
Another argument says that because Linux is open source, and anyone can have
access to the base kernel, it is less secure by definition. This, according
to Weinberg and Zymaris, is a false presumption. “Security through
obscurity,” Zymaris states, is no security at all.
That is why Windows is so successfully attacked by virus writers exploiting
auto-executable macros in Outlook, for example, and Linux is not.
Latency
Days-of-risk, or the time between when a vulnerability is reported and a
patch issued, is also a big security concern. Since Microsoft, RedHat and
Novell all subscribe to the “responsible disclosure” concept — under which
those who discover vulnerabilities are encouraged to report it to the
software vendor first and allow time for a patch to be created — the lag
time between when a vulnerability is discovered and a patch issued often is
unknown.
For Linux, outside of RedHat and Novell distros, vulnerabilities are
reported at-large and therefore the lag time to a patch may, or may not, be
longer than a Windows patch. However, Microsoft gets kudos for improving its
security response time and for issuing patches on a regular, predictable
schedule.
Unless you are running a supported distro of Linux, patches come out when
they come out. In either case, companies are vulnerable until a patch is
issued.
“The biggest difference is, with open source, the white hats … and the
customer has a chance to fix it on their own as opposed to waiting for the
proprietary software (vendor) to do on a schedule that only suits their
commercial needs,” said Weinberg.
But while Microsoft seems to be getting a handle on this particular problem,
said Security Innovation’s Thompson, the ad-hoc nature of the open source
community means it has no central coordination to address such issues. And,
over the next few years, this may cause some problems for Linux.
“The Linux trend is actually moving upward toward more vulnerabilities in
the first year of release as opposed to, if you look at the Windows server
products like Windows Server 2000 vs. Windows server 2003, where the trend’s
going down,” said Weinberg. “On the Linux side, it’s going to be interesting
to see what happens.”
So, is Linux inherently more secure than other OSes? It’s hard to say. If
you configure any OS wrong and leave yourself open to attack, do not adhere
to security policies and procedures, provision for ease-of-use over
security, then, no, Linux is as insecure as any other OS.
But, if you can do without some of the functionality inherent in a Windows
platform and are willing to jump through some configuration hoops, then, the
consensus leans toward Linux because of its component architecture and the
ability of in-house staff to deal with security problems proactively instead
of waiting for Microsoft or another proprietary platform vendor to issue a
fix. In other words, it depends.