Linux vs MS Security

Linux vs MS Security

Post by Chuck Fors » Sat, 27 Aug 2005 02:39:23

Now and then I encounter a Microsoftie who claims Linux
is as vulnerable as Windows because there are a comparable
number of security patches released. Not being a security
guru I don't have the facts to rebut. So here are my

1 (SPAM) What percentage of SPAM is transmitted by compromised
Linux systems compared to Microsoft?

2 How does Linux compare with Windows for spyware vulnerability?

3 How many Linux worms/virii in the last ten years??

Chuck Forsberg XXXX@XXXXX.COM 503-614-0430
Developer of Industrial ZMODEM(Tm) for Embedded Applications
Omen Technology Inc "The High Reliability Software"
10255 NW Old Cornelius Pass Portland OR 97231 FAX 629-0665

Linux vs MS Security

Post by R.F. Pel » Sat, 27 Aug 2005 03:30:53

If you go by the number, yes, maybe even more. However, what does this
number tell you? Not much. Nothing in fact, because the number isn't set of
against another measure. For example LOC. Or what the numbers are about.

A badly configured Linux box is just as dangerous in that respect as a
Windows box. In fact I can remember a client having trouble with Exchange
being configured as an open relay by default out of the box. Go figure. I
think however that the number of Linux boxen turned into a spamspew by
means of a trojan is far lower.

What spyware? There are ways to do keyboard logging, but everybody uses ssh
nowadays and is behind a firewall. Even if one has a Linux box.

There are numbers about that. I think the total number of virii for
UNIX/Linux lies around 300. That said, infections generally tend to be
contained because of the more rigorous security in UNIX.



Linux vs MS Security

Post by Ivan Mars » Sat, 27 Aug 2005 03:46:35

(Assuming this isn't a troll to start yet another pissing contest)

Security patches being released is a good thing... if they actually fix
the security problem and don't create new ones. The number of patches
released is no measure of the security of the OS... the response to
security issues from the developer is.

Linux patches usually fix the issue at hand and don't usually introduce
new issues.

Many of the Microsoft patches throughout the years have either not fixed
the issue at hand or created new and sometimes worse issues.

Microsoft has actually benefited from being compared to Linux on a
security front. There was a time when MS's policy about some of its
security issues was "It will be fixed in the next OS release"... RedButton
comes to mind.

Though I still don't trust any MS box being connected directly to the
internet without something in between it and the rest of the world, it is
safe to say that MS has vastly improved it's response to security issues
since the NT 4.0 days... whether they have been successful at making their
OS reasonably secure is a matter of opinion.

< .5% (high estimate) - the only way I can imagine a Linux box being
zombied to be a spam server is if the admin manually downloads and
installs a compromised piece of software. You will not have your Linux box
taken over by browsing a web page as you can in Windows.

It's extremely difficult to install and run a program on a secure *nix
system. See answer to #1.

Don't know... But most viruses and worms are written by people who aren't
very good programmers... so, naturally, they tend to write them for the
easiest systems to compromise. There hasn't been a TCP/IP specific worm
written since the early '80s.

I've never had a compromised *nix system... and, truthfully, I've had very
few compromised Windows systems, but I'm very security conscious and
usually use the *nix systems to protect the Windows systems.

The biggest issue with security lies with the operator, not the OS.

"Blessed is he who expects nothing, for he shall never be disappointed."
Benjamin Franklin (I didn't know he was a Buddhist)

Linux vs MS Security

Post by johnny bob » Sat, 27 Aug 2005 04:34:33

"Not surprisingly, Windows XP SP1 sans third-party firewall had the
poorest showing. In some instances, someone had taken complete control
of the machine in as little as 30 seconds."

Let's not complicate our relationship
by trying to communicate with each other.

Linux vs MS Security

Post by Bit Twiste » Sat, 27 Aug 2005 05:40:48

No, having to wait for the second Tuesday of the month makes Windows
more vunlnerable.

Heh,heh look here to see what it takes to tighten XP.
Is there any chance of the casual user knowing what to disable or set

Guessing linux has more security patches released. Micro$oft does not
show all patches released. Keeps the comparison looking good for them.

Micro$oft used to get razzed about number of patches released and was
not too long after that they changed to once a month releases.
Reason given was that comercial customers could not keep up testing
and rolling out patches.

People are looking for linux expoits and updates usually ready within a
week and available for download.

You get to wait for second Tuesday of the month for M$.

Something to look at here

No way to tell unless you want to run code against ip addresses found

I would bet greater than 90% because malware downloads a smtp server
and starts spewing email messages.

Majority of spyware will not install/run on linux.

Not enough for the Antivirus Vendors to make a living with. :)

Grand total unix and linux is less than 300.

Linux vs MS Security

Post by Tobias Bro » Sat, 27 Aug 2005 05:50:00

[Ivan Marsh]

Well. A linux box not beeing maintained or upgraded, or badly
installed in the first place, is very likely to get compromised. I
know there exists boxes that have been connected to the net for years
and years without any maintainance or upgrades beeing performed -
sysadmins eventually throwing up a firewall to hide the problem.

For one thing it is not so many years ago when most of the mail server
software by default was set up as open relays. It was also common to
have linux distributions where lots and lots of servers was set up by
default. It used to be normal to let servers run as root. Security
flaws have always existed, notoriously buffer-overflows. Thus, having
a linux box with servers running on Internet without patching up the
software every now and then is a quite risky affair, if a skilled
person gains root access to the box and starts installing back doors,
trojans, etc, then it will be extremely difficult to "clean up" the
system. Of course, this applies to windows as well.

Of course, a regular linux user would not run his browser as "root",
thus the box won't be taken over no matter how many holes there are in
the browser. Some Microsofties I'm regularly discussing security
with, would claim that the same applies to windows. When people are
running all their applications as "System Administrator" on their
windows boxes, it is (according to said Microsofties) due to
ignorance; everybody should learn a bit about computing before using
or owning a computer. Well, I tend to disagree, surfing the web
should be reasonably safe for anyone, and it should be possible for
Microsoft to deliver a virtually maintainance-free product, or
eventually, for dealers to do support/maintainance for dummies.

That beeing said, of course I feel miles safer running Mozilla than
MSIE, both because I expect Mozilla to be safer and because it is less

This signature has been virus scanned, and is probably safe to read
Tobias Brox, 69?2'N, 18?7'E

Linux vs MS Security

Post by Tobias Bro » Sat, 27 Aug 2005 06:12:20

As beeing said by others, this is a silly way to measure security.

The "closed source" and "open source"-community have two quite
different philosophies when it comes to security, and it is quite hard
to say that one is better than the other.

In the "open source"-community, everything is transparent. The bad
thing about this is, of course, that anyone can find the weak spots,
and eventually exploit them. The good thing is that the weak spots
gets found and fixed. Quite often the security faults gets announced
first, and fixed later - quite often the delay between the security
alert and the fix is small, often a proposed patch is applied with the
announcement, though it may take some time until the fix is official
and part of the linux distributions.

In the "closed source"-community, the code is secret. The good thing
about it is that the weak spots quite often are unknown, and thus not
exploited. The bad thing is, of course, that one can never know how
many weak spots there are, and eventually how many people have inside
information about those weak spots. Now I've heard two quite
different views on how good Microsoft is on patching up their security
holes, so I'd be pleased if anyone could fill me out on this:

- The Microsofties I'm regularly discussing security with, claims
that never (or almost never, or, at least not as they know) have a
security hole been publicly known _before_ an official patch for the
security hole were out.

- The other story I've heard is that Microsoft is very slow on making
patches, and that known security holes can stay open for as much as a
month unpatched.

This signature has been virus scanned, and is probably safe to read
Tobias Brox, 69?2'N, 18?7'E

Linux vs MS Security

Post by Bit Twiste » Sat, 27 Aug 2005 06:28:41

But then again it is impressive that with M$ closed source how may
exploits are found.

Quit right. The black hats used to brag about the exploits. Now that
the criminals are into it, they keep the exploits to themselves.
Now that the are starting to advoid honeyposts, it is getting harder
to find out about the malware.

Saw a remarks from M$ execs where they did not bother with exploits
until found in the wild.

Linux vs MS Security

Post by Rick Moe » Thu, 15 Sep 2005 08:18:36

huck Forsberg WA7KGX N2469R < XXXX@XXXXX.COM > wrote:

This sounds like a fairly content-free OS-advocacy discussion. Are you
_sure_ you want to have one?

I.e., if you stop to think for just a moment, you'll realise multiple
reasons why the relative _number_ of security patches (a) cannot be
determined and (b) would be irrelevant to the question at hand, anyway:

1. Linux distributions differ drastically, from one to the next, as to
the number and scope of codebases (applications, daemons, etc.)
furnished with the base OS. E.g., there are over 17,000 packages (per
supported architecture) in Debian's stable branch. (_However_, basically
all Linux distributions offer a considerably greater number and scope
of codebases than do Microsoft's extremely spartan MS-Windows releases.
This is the biggest single "apples and oranges" portion of the problem,
though there are others.)

2. Distributions not only differ greatly about number and scope of
packages, but also typically offer considerable lattitude about whether
to install the kitchen sink, almost nothing, or anything in-between.
Not all software is likely to get installed -- or run, if it is
installed. However, security patches get released for all contents,
both often-used and almost-never-used.

For the preceding two reasons alone -- and there are others -- if there
were (hypothetically) a "comparable" number of patches released for
Debian-stable's 17,000 packages and for MS-Windows XP's bare OS +
Wordpad + MSIE + MS Outlook Express, wouldn't that seem (on just numbers)
to be an extremely damning indictment of _MS-Windows_?

3. However, not all "security patches" are created equal. First, some
are reactive and others are anticipatory. (Guess the tendencies of
Linux and MS-Windows security patches in that area: You'll probably
guess right.) Some are against theoretical attacks that may or may not
ever be made real. Some are to guard against remote privilege
escalation and system compromise, some are for local-only priviledge
escalation, some are for remote denial of service, some are for
local-only denial of service. Those are of radically differing
importance. E.g., one "hole" in Apache 1.3.x, some years back,
theoretically allowed a remote attacker to bump off Apache listening
processes, a few at a time -- and that's it. Apache 1.3's a
fork-and-exec daemon: You kill a few, it spawns off a bunch more. Big

Not all vulnerabilities are credible or serious. Not all exploits are
credible or serious.

Some remote attacks are much more likely to give you root/Administrator
privilege. (Guess which platform generally has a much greater problem
with remote-root attacks?)

Patches that aren't anticipatory, by definition, involve a "window" of
delay between the time the vulnerability is discovered to (1) the time
an exploit is discovered and deployed, and (2) the time a patch becomes
available and known. Guess which platform generally has a problem with
the patches that fix serious problems arriving in public much later than
the exploit code did?

Not all patches are non-problematic. Linux systems tend to have modular
functionality for, in particular, security-sensitive code: You can
upgrade or patch one part without adversely affecting another part.
MS-Windows systems, by contrast, have an ongoing problem in that area:
Sites delay deploying service packs and hotfixes because they break too

Linux vs MS Security

Post by Jeroen Gei » Thu, 15 Sep 2005 09:20:47

Okay, then simply compare the relative amount of internet servers
A hint: Microsoft wins that race every time.

They'd have to be fairly competent programmers to find them in the first
place - better than the creators of said software, anyway.
The offhand comment that "anyone can find the weak spots" is too
hilarious to take seriously.

Yeah, right - so where do the roughly 10 exploits a month come from that
are publicly revealed ? Psychics ?
If what you say holds (and it still may) that means there are so much
boogs and holes in M$ software it would put a Swiss cheese to shame.

Actually, it's the other way around - other people have to tell M$ every
time that there are huge gaping holes before they will even deign to
look at it - M$'s official stance is "if people don't complain, we aint
spendin' money on it".

The average leans towards the 3+ months, actually.

Linux vs MS Security

Post by Rick Moe » Thu, 15 Sep 2005 19:51:37

My favourite anecdote about that is the F00F bug. See:
"F00F Bug" on

It was a grave bug in Pentium / PPro processors, discovered in 1997,
that Intel managed to talk its way out of fixing by some subtle
misdirection that somehow convinced people that the CPU defect was OS
vendors' problem.

(Any affected CPU would immediately lock up if induced to load and run
the instruction "F0 0F C7 C8" by anything at all, with any authority.)

Regardless, after the bug was publicised on 1997-11-10, the BSDi people
were first to produce a fix, using information they received from Intel
under NDA -- in something like 2-3 days. The Linux kernel coders,
working _without_ NDA information, were able to do likewise within, if
memory serves, about one day more.

Microsoft? They got around to hotfixing some but not all of their
then-supported OS releases about six months later.

Cheers, "Due to circumstances beyond our control, we regret to
Rick Moen inform you that circumstances are beyond our control."
XXXX@XXXXX.COM --Paul Benoit

Linux vs MS Security

Post by Jeroen Gei » Thu, 15 Sep 2005 20:14:15

I always wondered about that one - I know any non-ancient Linux kernel
shows it checking for the f00f bug on boot, but I thought it was limited
to the original Pentiums ? (P54C)
Or is this not the same as the math rounding error ?
Perhaps that one was in the original chip...

Anyway, just goes to show.

Linux vs MS Security

Post by Rick Moe » Fri, 16 Sep 2005 01:20:45

[F00F bug:]

A lot of people get those confused. No, this was not the same as the
infamous FDIV (floating point) error that was such a scandal. Part of
what was so remarkable was that it was a great deal _worse_, and yet
Intel managed to palm off the problem onto OS vendors, to fix it with
software countermeasures.

The latter did eventually work well for end-customers, with (as I said)
the time-to-fix depending greatly on which OS it was.

Linux vs MS Security

Post by ibuprofi » Fri, 16 Sep 2005 09:20:11

n the Usenet newsgroup comp.os.linux, in article
<440e$432800b9$c690c3ba$ XXXX@XXXXX.COM >, Rick Moen wrote:

] Path:!!
] Newsgroups: comp.os.linux.advocacy
] Subject: This code will lock up any P5 machine, even usermode Linux!
(F0 0F C7 C8)
] Date: Thu, 06 Nov 1997 21:57:33 -0800
] Organization: The University of Texas at Austin, Austin, Texas
] Lines: 7
] Message-ID: < XXXX@XXXXX.COM >
] NNTP-Posting-Host:
] Mime-Version: 1.0
] Content-Type: text/plain; charset=us-ascii
] Content-Transfer-Encoding: 7bit
] X-Mailer: Mozilla 3.0 (Win95; I)
] Hi,
] Check this out. If you execute F0 0F C7 C8 on a P5 it will lock the
] machine up. This is true for any operating system including usermode
] Linux. It's pretty cool. Basically, the opcodes are an invalid form
] of cmpxchg8b eax with a lock prefix. Has anyone seen this before? The
] problem doesn't show itself for the Pentium Pro or Pentium 2.

I don't think anyone ever identified the discoverer. There was some talk
that whoever it was worked for Cyrix and was reverse engineering the chip.
Others claimed that it was more likely a computer science student at the
University of Texas at Austin. I imagine if Intel were serious, they could
have filed a complaint and the police would have had a look the the dialin
logs - never heard a word about that.

Are you sure of the date? The original posting (above) was late on the
sixth, and the next few days were like someone stomped on a fire ant nest.

google groups has a thread in comp.unix.bsd.freebsd.misc dated Tue, 11
Nov 1997 16:38:48 -0700 announcing the BSDi fix. It was withdrawn on the
12th apparently because it was released in violation of the NDA, and there
was a lot of bickering in that group over the Linux fix.

]From: XXXX@XXXXX.COM (Linus Torvalds)
]Newsgroups: comp.os.linux.misc,comp.os.linux.hardware
]Subject: Pentium bug workaround, please test!
]Date: 12 Nov 1997 19:27:02 GMT
]Organization: Transmeta Corporation, Santa Clara, CA
]Lines: 20
]Message-ID: <64cvu6$b3f$ XXXX@XXXXX.COM >
]I just made 2.1.63 available on the normal ftp site (,
]directory pub/linux/kernel/v2.1). The most exciting change is probably
]the preliminary patch by Ingo Molnar that should work around the by now
]well-known Pentium lock-up bug. Many thanks to Ingo who put together
]the patch from various snippets of information floating around.


]Please give it a good testing, especially the Pentium bug workaround.
]Throw all the tests you have at it, to see that it really works. We'll
]be doing a 2.0.x patch for that too, but it's probably not going to
]appear for a few days, so in the meantime testing this fix on 2.1.x
]would be a GoodThing(tm)...
] Linus


]From: XXXX@XXXXX.COM (Sam Trenholme)
]Newsgroups: comp.os.linux.development.system,comp.os.linux.advocacy,
]Subject: F00F bug *fixed* in 2.0.x kernels
]Date: 14 Nov 1997 07:27:58

Linux vs MS Security

Post by Rick Moe » Fri, 16 Sep 2005 11:34:14

[F00F bug:]

No, I was actually up during the middle of the night after donating
*** and then crashing for several hours, really had no business
attempting to be coherent on Usenet at that time, and only partially
succeeded. Ordinarily, I'd have properly re-found the date stamp on the
original newsgroup posting before saying that, but I was just too tired.
(That's a poor excuse, I know. I knew I was likely to get it slightly
wrong, but was exhausted and momentarily didn't care. My lazy
guesstimate about the number of months until Microsoft's NT patch was
off, too -- but in the ballpark.)


Now that you mention it.... Hmm, I notice that their earlier
they posted in 1998 doesn't exist, any more. Ah, here:

I found that by googling for Intel's mind-numbing moniker for the
problem, "Invalid Operand with Locked CMPXCHG8B Instruction". Page
claims that NT 3.51 got some sort of hotfix, but they don't actually
name or link that hotfix. NT 4.0 got a fix as part of SP 4.0. Win95
_never_ got any sort of fix, it seems -- just as I was saying in '98.

It's a bit frightening to think that I might personally have been -- for
a while -- the best-informed commentator on this problem other than
Robert Collins (who wasn't saying much). And I was a rank amateur. ;->

Yes, that was quite bogus. Here's the actual vendor statement, from
Intel's inforamtional page:

"Novell's network operating system NetWare/IntranetWare is not
affected by the invalid instruction erratum found in the Pentium
processor. NetWare/IntranetWare requires proper authentication to run
NLM's [sic] and applications on the server. Due to this secure
access, NetWare/IntranetWare is not susceptible to NLM's [sic] or
applications that would use the invalid opcode. For further
information, please contact Novell at 1-801-861-5533 or"

Tom Oldroyd
Senior Marketing Manager
Novell Inc.

Cheers, "Due to circumstances beyond our control, we regret to
Rick Moen inform you that circumstances are beyond our control."
XXXX@XXXXX.COM --Paul Benoit