Fwd: viruses on UNIX vs. Windows

Date view Thread view Subject view Author view

From: Rohit Khare (rohit@uci.edu)
Date: Fri May 05 2000 - 21:38:01 PDT

>X-URI: http://www.cs.utk.edu/~moore/
>From: Keith Moore <moore@cs.utk.edu>
>To: Randall Stewart <rstewar1@email.mot.com>
>cc: "Michael H. Warfield" <mhw@wittsend.com>, Valdis.Kletnieks@vt.edu,
> Scot Mc Pherson <smcpherson@clearaccess.net>, ietf@ietf.org
>Subject: viruses on UNIX vs. Windows
>X-Subject-Was: Re: VIRUS WARNING
>Date: Fri, 05 May 2000 17:59:33 -0400

it might be useful to further examine the differences between UNIX-like
systems (including Linux) and Windows systems regarding their
susceptibility to viruses.

1. it should first be noted that UNIX-like systems are not immune to
worms or viruses. the Morris worm propagated itself via buffer
overflow bugs in sendmail and finger, and similar vulnerabilities are
probably still available to a would-be attacker. over the years many
more security holes like these have been found in UNIX systems and
exploited. we'll keep seeing such holes as long as people write
servers in C. but for some reason such attacks tend not to be viruses,
we just haven't seen many worms/viruses use these techniques since the
Morris worm.

2. the Morris worm worked with both vax and sun3 platforms presumably
because these were the most popular platforms then in use on the
Internet. today most viruses target Windows boxes presumably because
they are so popular.

3. the attacks that have been successful against UNIX tend to be specific
to a particular platform - its CPU instruction set, memory layout,
system traps, and library routines. Windows boxes are also vulnerable
to hardware-specific attacks, but they also support things like vbscript.
so there are multiple languages by which one can attack a windows box,
and many of those are commonly bundled with Windows. so in addition
to windows being more popular, in some ways you it has a more
predictable target environment (i.e. a given windows box is likely to
have more facilities you can exploit than a UNIX box) this makes Windows
a more predictable platform for software developers, but virus writers
are software developers too.

4. email-borne viruses have somewhat greater ability to penetrate
private networks because email tends to not be filtered by firewalls
(and even firewalls that scan for viruses generally are limited to
scanning for known viruses)

UNIX-based email clients are less vulnerable than their Windows
counterparts because

a) UNIX-like systems do not come with an extensive registry of content-type
    -to- program mappings. nor, in general, do mail readers for these
    platforms. so if a mail reader receives an object with an unusual
    content-type it is unlikely to know what to do with it (other than
    to offer to save it to a file)

b) UNIX based mail readers tend to rely on the MIME content-type
    label and are less likely than Windows readers to "guess" how to
    handle a file based on the file name suffix. MIME content-type
    registrations are required to contain a security considerations
    section. it may be that as a result, the content-type registry
    on a UNIX system is less likely to contain definitions for
    dangerous objects, than on a windows system...and therefore
    UNIX mail readers are less likely to try to interpret such things.

c) UNIX systems have fewer interpreters for content-types that
    can cause harmful side-effects, and such as do exist (such
    as PostScript) are more likely to be invoked in a "safe" mode.

    script attacks are certainly possible on UNIX - most UNIX systems
    support script languages with destructive power similar to vbscript.
    but it is very unlikely that a UNIX mail reader would be configured
    to, say, automatically execute a perl script received in mail.

d) UNIX has not traditionally had a point-and-click interface,
    so the notion that there is some action implicitly associated
    with a file type, so common in the Windows and Mac worlds,
    does not hold for UNIX. Indeed, UNIX has much the opposite
    notion - that arbitrary tools can be applied to arbitrary files.

5. unlike many Windows-ish boxes, UNIX is a multi user operating
    system with file protections. thus there is a layer of isolation
    between user processes and the operating system, which limits the
    degree of damage that is likely to happen. to be sure, a lot of
    harm can be done by trashing or altering a single user's files,
    and there may are often security holes which can be exploited
    to elevate an ordinary user's privileges. but this is still an
    additional barrier that must be overcome. Windows is an easier

6. there is a great deal more history with security exploits,
    and thus with countermeasures, on UNIX-like systems.

    there seems to be greater awareness of the potential for harm
    among the UNIX community than among Windows developers.
    this may be because UNIX is primarily used by computer experts.


to some degree Windows is inherently more vulnerable because it
is a more popular platform. however it should be possible to make
Windows much less vulnerable than it currently is merely by a few

- don't automatically evaluate content unless it is KNOWN to be safe
   from harmful side-effects. either that or evaluate the content
   only within a sandbox which prevents such harm. (this means
   that you limit the content that you're willing to automatically
   evaluate to a few well-understood types)

- don't offer to execute content that can cause harm unless
   (a) the recipient okays it, (b) the sender's identity is
    known and the integrity of the file can be assured
   (via verifiable digital signatures), and (c) the recipient
   is warned *each time* that the content can cause harm.


Date view Thread view Subject view Author view

This archive was generated by hypermail 2b29 : Fri May 05 2000 - 21:39:35 PDT