10 comments

[ 0.21 ms ] story [ 19.4 ms ] thread
Yet linux and OS X don't seem to have this "3rd party apps security issue".

I have personally never bought the "installed base" argument, where Windows gets the majority of the attention because it has more users. Most computer virii seem to be clustered around gaining remote control or access to a machine to either steal data (files, keystrokes, etc) or turn the machine into a zombie. Thus, the "hackers" (yes, I know) don't really care what OS you're running, they will exploit whatever is exploitable. Sure, Windows has the largest installed base, so they would make a logical first choice, but we would also expect these exploits to be ported to other platforms IF those other platforms were similarly exploitable.

Think about how hard it is to port code you wrote to another platform. Now think about porting flimsy code that relies on a set of interactions in an opaque system not functioning as you'd expect.
Think more carefully about your argument. The hackers don't "care" what OS they're targeting --- that much is true. The aesthetics of POSIX vs. Win32 vs. Carbon are not a major deciding factor for them.

What is a deciding factor is, "how much money will I make for each line of code that I write". The answer:

* Linux: Negigible.

* Mac OS X: Very near negligible.

* Win32: Very significant.

Malware authors are only going to move to new platforms when they hit "peak oil" for Win32 --- when there is so much competition for new desktops that it's worth it to target an OS that has a 5-10% share. We are nowhere near that point yet.

The words "similarly exploitable" are slippery and imprecise. The overwhelming majority of Windows "infections" are not caused by Win32 platform flaws. They're caused by unsafe user interactions with the web browser and mail programs. Those exact same unsafe interactions are present on OS X. Are the two "similarly exploitable"? Well, if writing a Mach-O malware shim is "similar" to writing a Win32 PE malware shim, then sure. Otherwise, no.

PS: Bona fides: my company is standardized on OS X, I came to OS X by way of Yellow Dog Linux on a TiBook, and prior to that I'd been FreeBSD since 1994. I've got an aggregate of 5 months of Win32 "userhood" in my whole career (though much more exposure at a systems programming level). I'm not an apologist; I just think the Win32 security haters are wrong.

I don't see the difference between a Linux "zombie" and a Win32 "zombie". I've personally seen both platforms get compromised and when it happens the results are typically the same.

I'm solidly behind the theory of viruses being made for the cheapest platform available - Windows and Linux.

What does a virus care about how "expensive" the platform is that it infects?
The person creating the virus cares. Affordability of the platform is a major issue when the producers are coming from eastern Europe.
I'm thinking that suggesting that Eastern Europeans care about the cost of an OS license is a really weak argument.

Malware authors care about exactly one number: the ratio of the dollars it takes to put a malware program out in the field over the dollars collected by that malware program. That ratio is good for Windows, and extraordinarily crappy for Linux. If my mom (and all moms like her) switched to Ubuntu, the ratio would get better.

This rings true --- almost obvious --- and I don't think it should surprise anyone here. Some facts:

* Every major product Microsoft ships gets weeks (or, in the case of core OS components, months) of outside security testing. Look at the past 7 years of Black Hat talks, and the majority of the speakers/researchers now work for firms contracting to Microsoft to pen-test their code.

* Every Microsoft developer working on a major project has been trained for secure programming, and the courseware and objectives for those courses were designed by acknowledged experts in security.

* Microsoft is the single most targeted vendor in all of IT; every security company with a research team spends a significant amount of cash to reverse engineer components and attempt to find flaws in them. Microsoft benefits from this by getting first dibs on almost every new bug class.

Compare this to the third-party software developers; none of these things are true. Just in terms of external testing; factor out Adobe, Apple, and Mozilla, and you'd be surprised to find a vendor that did have a policy of third-party assessments.

The Microsoft Insecurity story was a real issue in 2003. Bill Gates got up and said they were going to make security a key focus for the company. Normally, you ignore a statement like that. This time, they meant it, and they had hundreds of millions of dollars to back it up.

Microsoft is the best commercial closed-source vendor in the industry at security.

Just wondering about IIS, IE, MS SQL Server, MS Exchange, NtOsKernel.dll, OutlookExpress, MS Outlook, MS Office VBA macros, WSH (vbs/js), COM/OLE, ActiveX, and the list goes on...

All major security holes and vulnerabilities founded so far in these products are 3rd party?

No, but security defects are found in these bits less frequently than in their ISV competitors. There's been one remote found in IIS 6 in the last 2 years; none in IIS 7.

[edit] lemme correct myself --- there's been one remote that you heard about found in IIS --- the rest, Microsoft paid a shitload of money to find privately.