Ted wrote: | > Janice Chan wrote: | > Most viruses are inert on Linux & Solaris as well. Ah the joys of | > existing in an environment free from the influence of Bill Gates & his | > evil geniuses :-) | | Most (but not all) viruses are inert on Unix-type systems simply because | they were written to attack Windows. This is not due to any inherent | security defects in Windows, but is simply because Windows is the most | popular OS. If Unix was as popular as Windows, there would be just as many | Unix viruses about.
This is flatly false. Viruses were prototyped on unix before 1980, the problem was studied, and the fixes still work. The few viruses that appear for unix-type systems are usually very limited in the sort of damage they can do. They are usually found and fixed fast. The most common Windows virus now are those that are embedded in email. This is possible solely because of something very wrong that Outlook does: If an attachment is an executable program, Outlook interprets clicking on it as a command to execute it. This is not a design flaw; it was intentionally built into Outlook. And when the problems became obvious, Microsoft handled them with PR rather than software fixes. The basic fix for this is simple: You never, ever permit atuomatic execution of code that was received from another machine. Anything that does this is a wide-open security hole. This sort of problem appeared on unix systems in the early 80's. At that time, most users read their mail by using their favorite editor. (Many of us still do this.) Versions of editors came out that had the ability to embed bits of "config" code inside a file that would affect various editor settings. Almost always, this feature would also permit running subprocesses. The danger was obvious to many users, and people wrote demos of what we now call "email viruses". The reaction of users was fast: The vendors were told in no uncertain terms that they would fix the problem. Now. All further purchases were on hold until this problem was fixed. An option to block such execution was NOT acceptable. The default had to be "off". The problem was fixed, usually within a week or so. Since then, the unix user community has had a lot of people who are on the lookout for this sort of problem. When spotted, the problem is publicised, the vendor is told to fix it. Now. It gets fixed. For reasons incomprehensible to most unix users, Windows users keep using such things as Outlook even after the problems are documented. This is why the problems still exist. Similar stories exist with other software. There was a funny report last week that argued that linux had more security problems than Windows. The numbers were counts of problem reports on public security sites. The explanation, of course, is that when problems are found on unix systems, they are publicised. Vendors are typically given only a few weeks to fix the problem, and then descriptions are posted. If the problems aren't fixed fast, first details and then exploits are published. This gets the attention of vendors. On linux and the BSD clones, the source code is public, so even if the vendors can't or won't fix a problem, there are plenty of users who can and will. Being the first to come up with a fix gets one a certain amount of honor, so people compete to fix problems. Microsoft has a history of sitting on security problems for months or years, and threatening the people with prosecution if they publicise problems. Microsoft's licenses often explicitly forbid telling others about problems you may find. Here in the US, the DMCA is a good tool for this. This law makes it illegal to publicise security holes in a company's software products, under the guise of copyright protection. So Microsoft's software is inherently much, much worse than unix software from a security viewpoint. But it's the user communities that make the difference. Unix users are mostly intolerant of security problems, insist on publicity, and want fixes now. Microsoft users accept PR "solutions" and suppression of problem reports, and continue to use software after problems have been made public. So the problems will continue. Posted to Scots-L - The Traditional Scottish Music & Culture List - To subscribe/unsubscribe, point your browser to: http://www.tullochgorm.com/lists.html
