Linux security myths talking to people using windows

[nec207]

The myths going around on the internet.

1.Less than 1% use Linux and 10% use Mac Os X it is not that they are so much better but market share .The Malware makers are going windows where the market shares are.
2.Windows have more security but most people don't use it.
3.Mac OS X security is not that good , windows is better.
4.windows it has more gradual permission level than a ON and OFF like Linux or Mac OS X
5.Malware is growing with Linux and Mac OS X now.


Here is my take on it.

Windows ,Linux and Mac all have guest accounts ,standard accounts ,administrator accounts so on .So on security it is well the same here.

What Linux and Mac have that windows does not other than windows vista and windows 7 for security is authentication for a password to system changes.But windows vista and windows 7 authentication is more security than Linux and Mac as you cannot download ,install or remove or even change the date and time or wallpaper with out clicking confirmation it not just critical system changes but any system change.You cannot even view stuff in control panel or system info !!!


Where with Linux and Mac you can download ,install or remove or even change system setting it will only ask for authentication if it is effecting critical system changes .

So in way windows as more security with the cancel and allow box but pops up like all the time.Where with Linux and Mac you can download ,install or remove or even change system setting with no pop up.


Where Linux and Mac have more security is it does not support old software like windows .Why does supporting old software is bad ? It simple old software ran in full admin and had way way way I say again way way too much acess to the system .That was the dark days of software and OS's of the 90's as they ran as full admin and one user .


More and more people are getting Mac computers now and there are more and more malware coming out now it is a growing problem for Mac computers now .Well windows still have most of the malware out there .The growth of malware is growing now do to more people are getting Mac computers.

Windows 95/98/Me was base on DOS and ran as full admin only one user .It was horrible for security really horrible .Where windows 2000/XP/vista /7 and now windows 8 is base of NT that is many people using the computer with different read and write access and way better security thus guest accounts ,standard accounts ,administrator accounts and lot more of tweaking of what the person can have with different levels of read and write access .

It best when one is surfing the internet to go on the internet as a guest accounts where the malware will not have read and write access .

Microsoft did not really start to take security serious to windows vista and wibdows 7 came out with the cancel and allow box and ant-virus and anti-spyware and firewall that comes with windows vista and windows 7.


That is my take on this

 

[munkery]

The following link is to a post that compares OS X to Linux.

https://forums.macrumors.com/posts/13013842/

The information to make this comparison with Linux is taken from the following source.

https://wiki.ubuntu.com/Security/Features

The following link is to a post that compares OS X to Windows 7.

https://forums.macrumors.com/posts/13013889/

Various examples disprove the marketshare argument.

Linux has more examples of malware than OS X despite Linux having a smaller marketshare.

IIS has more examples of malware than Apache despite Apache having a greater marketshare and Apache being released several years prior to IIS.

Windows has disproportionately more examples of malware than other OSs in relation to the respective marketshares of the OSs.

 

[glossywhite]

<snip>

No offence, but I'm dubious about trusting the opnion of someone who spells & punctuates in the way that you just have.

Linux is far more thoroughly tested and secure than OS X and Windows combined. It stands to reason, as it is FOSS, which means many many people get to see bugs and then fix them. This cannot ever happen with the closed-source nature of proprietary OS' such as Mac OS X and Windows. Impossible.

The support for mainstream software is lesser, but the security is much higher, of that there can be no question.

 

[sk1wbw]

Tell that to all the Android users with malware.

 

[munkery]

No offence, but I'm dubious about trusting the opnion of someone who spells & punctuates in the way that you just have.

You do realize that English isn't the posters first language.

Linux is far more thoroughly tested and secure than OS X and Windows combined.

How so? Do you have a link to support this statement?

It stands to reason, as it is FOSS, which means many many people get to see bugs and then fix them. This cannot ever happen with the closed-source nature of proprietary OS' such as Mac OS X and Windows. Impossible.

Most of OS X is open source via using many of the same open source projects as Linux and BSD.

http://www.apple.com/opensource/

The support for mainstream software is lesser, but the security is much higher, of that there can be no question.

How so? Do you have a link to support this statement?

 

[villicodelirant]

You do realize that English isn't the posters first language.

Not that his style of punctuation would be acceptable in any indoeuropean language I know

How so? Do you have a link to support this statement?

1.000.000 people having access to the source code > 1000 people.

It's simple maths, and such a notion is familiar to everyone who has worked as a programmer or has a degree in CS.

If you don't... you'll have to take our word for it.

(or pay me to teach you Software Engineering 101 )


"Security through obscurity" is a notion mostly favoured by managers.

Actually, the whole debate is pointless anyway: apples (heh) and oranges.

OS X (and Windows) are operating systems, Linux is a kernel - part of an operating system.

It's like comparing an engine and two trucks.

Distros can be RADICALLY different when it comes to installed packages and services running by default.

Most of OS X is open source via using many of the same open source projects as Linux and BSD.

I'm not sure why, but lately the vulnerabilities seem to apply to the closed source portions of the OS, especially in their .0 incarnations...

How so? Do you have a link to support this statement?

See above.

 

[munkery]

1.000.000 people having access to the source code > 1000 people.

Most of OS X is open source via using many of the same open source projects as Linux and BSD.

http://www.apple.com/opensource/

Seems like both provide equal access to me?

I'm not sure why, but lately the vulnerabilities seem to apply to the closed source portions of the OS, especially in their .0 incarnations...

Do you have a link to support this?

If you are referring to Safari, Webkit is open source.

http://www.webkit.org/

 

[maflynn]

Most of OS X is open source

I really wouldn't go and say most of OSX is open source. Sure the base of it is, but most of the consumer facing layers is not. Some of the apps, like safari is open source. Apple uses open source when its in its best interest. They protect the source code when its a better business decision to do so.

 

[villicodelirant]

Most of OS X is open source via using many of the same open source projects as Linux and BSD.

http://www.apple.com/opensource/

Seems like both provide equal access to me?

OSS parts of the OS (heh!), ESPECIALLY when used by / borrowed from other projects are inherently more secure due to extensive peer review.

Other parts... who knows?
They may be riddled with holes.

Not all of OS X is OSS, and the default configuration matters anyway: even if you have the most secure code in the world, if the default install gives rwxrwxrwx to /etc/*, /var/* and /root/*, you're reasonably screwed.

See: OpenBSD.

 

[munkery]

OSS parts of the OS (heh!), ESPECIALLY when used by / borrowed from other projects are inherently more secure due to extensive peer review.

If both OSs use the same open source projects, then the amount of peer review is equivalent.

Projects released as open source by Apple are used in Linux. For example, Avahi is a derivative of Bonjour.

Other parts... who knows?
They may be riddled with holes.

Links?

Not all of OS X is OSS, and the default configuration matters anyway: even if you have the most secure code in the world, if the default install gives rwxrwxrwx to /etc/*, /var/* and /root/*, you're reasonably screwed.

Obviously, that is not the case in OS X.

See: OpenBSD.

Mac OS X is based on FreeBSD.

Also, OpenBSD has fewer vulns than Linux.

http://cve.mitre.org/

 

[villicodelirant]

If both OSs use the same open source projects, then the amount of peer review is equivalent.

...but only for said projects.

Not applicable to proprietary parts.

Projects released as open source by Apple are used in Linux. For example, Avahi is a derivative of Bonjour.

Exactly.

(BTW, I'm still trying to figure out why on certain configurations - e.g. onboard SiS controller on Acer Aspire computers - avahi will randomly bring ethX down on Ubuntu 10.4 to 10.0)

Links?

LINKS?
You want me to post a link to prove that if you don't have access to the source code, you... er, don't have access to the source code?

I don't think I can do that.

Open Source isn't enough, anyway.

Younger codebase is probably more vulnerable than two decades old code, even if the latter is proprietary.

Also, OpenBSD has fewer vulns than Linux.

No, that's exactly my point.
OpenBSD has an enormous share of userland in common with, say, Slackware and derivatives (please, there's no "Linux").
Only, OpenBSD can - famously - claim "n remote holes in the default install" (with 0<n<10) because the default install has a small number of carefully tuned services running.

 

[nec207]

No offence, but I'm dubious about trusting the opnion of someone who spells & punctuates in the way that you just have.

Linux is far more thoroughly tested and secure than OS X and Windows combined. It stands to reason, as it is FOSS, which means many many people get to see bugs and then fix them. This cannot ever happen with the closed-source nature of proprietary OS' such as Mac OS X and Windows. Impossible.

The support for mainstream software is lesser, but the security is much higher, of that there can be no question.

The point of post was to give my opinion and get answer from the security experts here.

I did not put disclaimer that my opinion is more a question of interpretation of what I read than opinion base of talking experience or knowledge.

I just do not want my post to come of like I'm saying this is the way it is and that is how it works .My post is more like this is what I think it is like or this is what I thought it was like.

 

[munkery]

...but only for said projects.

Not applicable to proprietary parts.

Most of the security sensitive components of OS X are open source.

The kernel space of OS X consists of the XNU kernel and IOKit. Both of which are open source. Having a secure kernel space prevents the bypassing of DAC and MAC based sandbox.

The proprietary parts of OS X are only within user space and do not have much security implications. For example, Webkit is open source and it is the foundation for Safari, Mail, iTunes, Dashboard, and more.

LINKS?
You want me to post a link to prove that if you don't have access to the source code, you... er, don't have access to the source code?

Can you provide a link supporting the claim that the proprietary code in OS X is full of holes?

Younger codebase is probably more vulnerable than two decades old code, even if the latter is proprietary.

I guess you are not aware of all the kernel-mode driver privilege escalation vulnerabilities that have been found in Windows since UAC was introduced to have DAC enabled in the default install of Windows.

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=win32k

http://m.prnewswire.com/news-releas...-vulnerability-in-microsoft-os-110606584.html

It is the security paradigm of the vendor that makes the difference regardless of whether or not the code is open source or proprietary.

No, that's exactly my point.
OpenBSD has an enormous share of userland in common with, say, Slackware and derivatives (please, there's no "Linux").
Only, OpenBSD can - famously - claim "n remote holes in the default install" (with 0<n<10) because the default install has a small number of carefully tuned services running.

Slackware is not a derivative of OpenBSD nor any other BSD distro. Slackware is a variant of GNU/Linux.

Mac OS X is a derivative of BSD. More specifically, it is a derivative of FreeBSD.

Also, both Mac OS X and Linux have similar port policies. The ports that are exposed in these systems are sandboxed.

 

[Tech198]

Security

Might I add this.

UAC in Windows 7 is good, until the user turns it off.

This can be done in this : Control Panel, User Account, Change User Account control setting.
Users will do this when it's too annoying.

Does't seem very smart to me.

Mac OS X doesn't have such an option. Although, I guess you can get round it as running as root under Terminal. This is harder and not something everybody will do..

 

[maflynn]

UAC in Windows 7 is good, until the user turns it off.

Do a lot of users do this? I know in the corporate environment this is not an option thanks to group policies. I run windows 7 and I keep UAC active.

 

[Tech198]

security

Do a lot of users do this? I know in the corporate environment this is not an option thanks to group policies. I run windows 7 and I keep UAC active.

You tell me ... I'm not referring to corporate in specific as I know they would lock it down, and know what to do.

Some less savvy home users are another matter. Comparison is basically useless, as Mac OSX would be secure, if people didn't randomly type their password in to install MacDefender.

Hence, security is only as good as people make it.

 

[munkery]

UAC isn't very robust.

It has been bypassed by malware in the wild.

There is a high incidence rate of vulnerabilities that allow bypassing UAC.

http://www.exploit-db.com/bypassing-uac-with-user-privilege-under-windows-vista7-mirror/ -> guide to develop exploits to bypass UAC by manipulating registry entries for kernel mode driver vulnerabilities.

https://media.blackhat.com/bh-dc-11/Mandt/BlackHat_DC_2011_Mandt_kernelpool-wp.pdf -> more complete documentation about Windows kernel exploitation.

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=win32k+ -> list of incidences of kernel mode driver vulnerabilities.

http://threatpost.com/en_us/blogs/tdl4-rootkit-now-using-stuxnet-bug-120710 -> article about the TDL-4 botnet which uses a UAC bypass exploit when infecting Windows 7.

 

[nec207]

Well the UAC I find is the most powerful thing ever invented to stop malware.Linux does not have UAC but what Linux have is you are a user with root privileges that need authentication.

Mac have user space level and system level .Any time you try to do some thing in system level you need a authentication.In Linux any thing out side your home directory needs authentication.

With Linux you use sudo and windows you use cancel and allow box but that can be change for password prompt too.

Some Linux destro you can change it so you run has root all the time.

 

[nec207]

UAC isn't very robust.

It has been bypassed by malware in the wild.

There is a high incidence rate of vulnerabilities that allow bypassing UAC.

http://www.exploit-db.com/bypassing-uac-with-user-privilege-under-windows-vista7-mirror/ -> guide to develop exploits to bypass UAC by manipulating registry entries for kernel mode driver vulnerabilities.

https://media.blackhat.com/bh-dc-11/Mandt/BlackHat_DC_2011_Mandt_kernelpool-wp.pdf -> more complete documentation about Windows kernel exploitation.

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=win32k+ -> list of incidences of kernel mode driver vulnerabilities.

http://threatpost.com/en_us/blogs/tdl4-rootkit-now-using-stuxnet-bug-120710 -> article about the TDL-4 botnet which uses a UAC bypass exploit when infecting Windows 7.

Are you saying there are registry ,drivers and kernel exploits ?

Why are there these exploits ? Is the way OS was built or just sloppy programming?

 

[munkery]

Discretionary access control in Mac OS X and Linux is robust.

Discretionary access control in Windows (UAC) is not very robust.

See my previous post for more info.

 

[munkery]

Are you saying there are registry ,drivers and kernel exploits ?

Why are there these exploits ? Is the way OS was built or just sloppy programming?

The registry can be manipulated to leverage vulnerabilities in kernel-mode drivers to exploit the kernel.

These exploits allow you to bypass UAC.

 

[nec207]

Discretionary access control in Mac OS X and Linux is robust.

Discretionary access control in Windows (UAC) is not very robust.

See my previous post for more info.

What is the difference of access control in Mac OS X and Linux than say UAC in windows ? How does the access control in Mac OS X and Linux work than say windows UAC?

 

[roadbloc]

Do a lot of users do this? I know in the corporate environment this is not an option thanks to group policies. I run windows 7 and I keep UAC active.

I've turned it off. UAC is the only thing I cannot stand about windows and I'm glad Microsoft provide an option to switch it off.

 

[munkery]

What is the difference of access control in Mac OS X and Linux than say UAC in windows ? How does the access control in Mac OS X and Linux work than say windows UAC?

The principle applied is similar. Obviously, the actual code used is different.

Windows implementation of DAC is less robust. There appears to be three reasons for this:

1) A high incidence rate of vulnerabilities related to Win32k.

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=win32k

2) Lack of runtime security mitigations applied to kernel-mode drivers.

https://media.blackhat.com/bh-dc-11/Mandt/BlackHat_DC_2011_Mandt_kernelpool-wp.pdf

In this paper we’ve shown that in spite of safe unlinking, the Windows 7 kernel pool is still susceptible to generic attacks. However, most of the identified attack vectors can be addressed by adding simple checks or adopting exploit prevention features from the userland heap. Thus, in future Windows releases and service packs, we are likely to see additional hardening of the kernel pool. In particular, the kernel pool would benefit greatly from a pool header checksum or cookie in order to thwart exploitation involving pool header corruption or malicious pool crafting.

3) Design implementation issues in relation to user-mode callbacks.

http://mista.nu/research/mandt-win32k-paper.pdf

In this paper, we’ve discussed the many challenges and problems concerning user-mode callbacks in win32k. In particular, we’ve shown that the global locking design of the Window Manager does not integrate well with the concept of user-mode callbacks. Although a large amount of vulnerabilities involving insufficient validation around the use of user-mode callbacks have been addressed, the complex nature of some of these issues suggests that more subtle flaws are likely to still be present in win32k. Thus, in an effort to mitigate some of the more prevalent bug classes, we conclusively discussed some ideas as to what both Microsoft and end-users might do to reduce the risk of future attacks in the win32k subsystem.

I've turned it off. UAC is the only thing I cannot stand about windows and I'm glad Microsoft provide an option to switch it off.

You do know that if you using an Admin account with UAC disabled that you have also disabled MIC (mandatory integrity control = Windows sandbox) such that only a single remote exploit is required to achieve system level access?

 

[nec207]

So just to clear this up OS X have user space level and system level and this is where DAC come in but is modified by Apple the DAC .Any time you try to do some thing in system level you need a authentication.In Linux any thing out side your home directory you need authentication and this where DAC come in .

You do know that if you using an Admin account with UAC disabled that you have also disabled MIC (mandatory integrity control = Windows sandbox) such that only a single remote exploit is required to achieve system level access?

I thought windows MIC or sanbox is only for IE ? So things do not run out side the sanbox?

So with good MIC or sanbox malware cannot get on the system but a weak MIC or sanbox , malware can bypass it and get on the system.