War of words over operating systems' safety Celeste Biever http://www.newscientist.com/article.ns?id=dn7192
Doubts were cast this week over the security of three major software systems formerly regarded as safe havens from hacker attacks and viruses. But experts argue that despite the new findings, these systems are still more secure than their Microsoft counterparts because hackers overwhelmingly target the Windows software. "The Windows problem still dwarfs these other problems because internet criminals know that there are an awful lot of clueless Windows users," says Graham Cluley, security consultant at UK anti-virus firm Sophos. Until now, the open-source Firefox web browser, Linux-based web servers and the Apple Mac operating system OSX were heralded as more robust to hacker intrusions and viruses than Microsoft's Internet Explorer and the Windows operating systems. So it came as a surprise to the security community when all three came under attack in two security reports, funded by Symantec - the California-based anti-virus software vendor - and Microsoft. The debate was sparked Monday when Symantec, released its biannual Internet Security Threat report. The company found that between July and December 2004, 21 new vulnerabilities were discovered in Firefox while only 13 were found in Internet Explorer. "This runs contrary to a trend seen in previous periods where nearly all browser vulnerabilities affected Microsoft Internet Explorer exclusively," says Symantec in its report. Missing patches A "vulnerability" is a programming error that enables an attacker or a virus to gain entry to a computer - allowing access to confidential information, the running of malicious programs or even crashing the system. However, once vulnerabilities are reported, they are typically patched by the software maker, removing the error. A separate report which takes software patching into account, comes to the opposite conclusion. The report also published on Monday by Dubai-based ScanIT, found that in 2004, 98% of IE users were vulnerable to attacks because their systems were not patched, while only 15% of Linux users were at risk. ScanIT founder David Michaux also points out that while Symantec found more vulnerabilities in Firefox, it found fewer severe vulnerabilities, just seven compared to IE's nine. "You will always find fewer vulnerabilities in IE, because they don't make their source code available. But the vulnerabilities you do find will be more severe," he says. Trend to come Symantec also reported that Apple's OSX had 37 vulnerabilities. Until now the only malicious code targeted at Apple was a malicious program called Repeno that was found online in October 2004. It was largely harmless because it had no way of spreading automatically, but Symantec predicts that Repeno is an example of a trend to come. "It is now clear that the Mac OS (operating system) is increasingly becoming a target for the malicious activity that is more commonly associated with Microsoft and various UNIX-based operating systems," says the report. Richard Forno, an independent security consultant based in Washington DC, US, who specialises in Macs, disagrees. "The Mac OSX part of the Symantec report was overblown," he says. "Cyber criminals want to go after the low-hanging fruit and the Mac OSX is still not as bug ridden as Windows." Time lags On Tuesday a further report highlighted vulnerabilities in the Linux operating system. The Microsoft-funded report was released by Richard Ford, a computer scientist at the Florida Institute of Technology, and colleagues at the Security Company Security Innovation, both in the US. To his surprise, Ford, a loyal Linux user, found that an open-source Linux server contained 174 vulnerabilities, while the Microsoft equivalent had just 52. He also found that on average the time lag between reporting a vulnerability and having it patched was 44 days with the Linux server, but 31 with Microsoft Cluley argues that this is irrelevant because hackers are still not interested in attacking Linux systems, partly because there are far fewer Linux users, and partly because the users Linux attracts tend to be more tech-savvy and so more likely to patch their own systems. But he says that this could change in future. "There are a growing number of users for these alternative operating systems so we shouldn't be complacent," he says. Michaux disagrees: "Unlike the Microsoft programs, the more people that use an open-source system, the more secure it becomes." This is because the open-source code is analysed by the security community as a whole, whereas the Microsoft code is only seen by the company's engineers. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
