Once every couple months or so, I find myself
explaining to someone that the flood of viruses
everyone has come to expect is not an unavoidable side
effect of an increasingly networked world. Usually
this comes up in response to the all-too-common
security through obscurity argument that Linux systems
would suffer the same frequency of virus problems as
Microsoft Windows if they were as popular as Windows
is now. Such a comment ignores several factors that
make up the vulnerability profile of Windows with
regard to viruses.
The most obvious, for those who recognized the term
“security through obscurity” that I used above, is
that Linux-based systems and other open source OSes
(such as FreeBSD and OpenSolaris) actually benefit
greatly from the security through visibility approach
taken by popular open source software projects.
There’s another factor that’s much more important to
virus vulnerability in particular, however, that even
most open source software advocates don’t consider.
It’s really quite simple.
Microsoft doesn’t fix virus vulnerabilities.
A virus is malicious code carried from one computer to
another by some kind of medium — often an “infected”
file. Once on a computer, it’s executed when that file
is “opened” in some meaningful way by software on that
system. When it executes, it does something unwanted.
This often involves, among other things, causing
software on the host system to send more copies of
infected files to other computers over the network,
infecting more files, and so on. In other words, a
virus typically maximizes its likelihood of being
passed on, making itself contagious.
All of this relies on security vulnerabilities that
exist in software running on the host system. For
example, some of the most common viruses of the last
decade or so have taken advantage of security
vulnerabilities in Microsoft Office macro
capabilities. Infected files that were opened in a
text editor such as Notepad would not then execute
their virus payload, but when opened in Office with
its macro execution capabilities would tend to infect
other files and perhaps even send copies of themselves
to other computers via Outlook. Something as simple as
opening a macro virus infected file in Wordpad instead
of Microsoft Word or translating .doc format files
into .rtf files so that macros are disabled was a
common protective measure in many offices for a while.
Macro viruses are just the tip of the iceberg,
however, and are no longer among the most common virus
types. Many viruses take advantage of Trident, the
rendering engine behind Internet Explorer and Windows
Explorer that’s also used by almost every piece of
Microsoft software available to one degree or another,
for instance. Windows viruses often take advantage of
image-rendering libraries, SQL Server’s underlying
database engine, and other components of a complete
Windows operating system environment as well.
Viruses in the Windows world are typically addressed
by antivirus software vendors. These vendors produce
virus definitions used by their antivirus software to
recognize viruses on the system. Once a specific virus
is identified, the software attempts to quarantine or
remove the virus — or at least inform the user of the
infection so that some kind of response may be made to
protect the system from the virus.
This method of protection relies on knowledge of the
existence of a virus, however, which means that most
of the time a virus against which you are protected
has, by definition, already infected someone else’s
computer and done its damage. The question you should
be asking yourself at this point is how long it will
be until you are the lucky soul who gets to be the
discoverer of a new virus by way of getting infected
by it.
It’s worse than that, though. Each virus exploits a
vulnerability — but they don’t all have to exploit
different vulnerabilities. In fact, it’s common for
hundreds or even thousands of viruses to be
circulating “in the wild” that, between them, only
exploit a handful of vulnerabilities. This is because
the vulnerabilities exist in the software and are not
addressed by virus definitions produced by antivirus
software vendors.
These antivirus software vendors’ definitions match
the signature of a given virus — and if they’re really
well-designed might even match similar, but slightly
altered, variations on the virus design. Sufficiently
modified viruses that exploit the same vulnerability
are safe from recognition through the use of virus
definitions, however. You can have a photo of a known
bank robber on the cork bulletin board at the bank so
your tellers will be able to recognize him if he comes
in — but that won’t change the fact that if his modus
operandi is effective, others can use the same tactics
to steal a lot of money.
By the same principle, another virus can exploit the
same vulnerability without being recognized by a virus
definition, as long as the vulnerability itself isn’t
addressed by the vendor of the vulnerable software.
This is a key difference between open source operating
system projects and Microsoft Windows: Microsoft
leaves dealing with viruses to the antivirus software
vendors, but open source operating system projects
generally fix such vulnerabilities immediately when
they’re discovered.
Thus, the main reason you don’t tend to need antivirus
software on an open source system, unless running a
mail server or other software that relays potentially
virus-laden files between other systems, isn’t that
nobody’s targeting your open source OS; it’s that any
time someone targets it, chances are good that the
vulnerability the virus attempts to exploit has been
closed up — even if it’s a brand-new virus that nobody
has ever seen before. Any half-baked script-kiddie has
the potential to produce a new virus that will slip
past antivirus software vendor virus definitions, but
in the open source software world one tends to need to
discover a whole new vulnerability to exploit before
the “good guys” discover and patch it.
Viruses need not simply be a “fact of life” for anyone
using a computer. Antivirus software is basically just
a dirty hack used to fill a gap in your system’s
defenses left by the negligence of software vendors
who are unwilling to invest the resources to correct
certain classes of security vulnerabilities.
The truth about viruses is simple, but it’s not
pleasant. The truth is that you’re being taken to the
cleaners — and until enough software users realize
this, and do something about it, the software vendors
will continue to leave you in this vulnerable state
where additional money must be paid regularly to
achieve what protection you can get from a dirty hack
that simply isn’t as effective as solving the problem
at the source would be