The illusion of invulnerability

On Saturday “Linuxtag 2006” closed in Wiesbaden (Germany). According to the organisers, it’s Europe’s biggest Linux Expo.

At the Kaspersky stand we talked to a lot of visitors. Pretty soon, it dawned on us exactly what the biggest threat to Linux systems is: the almost overwhelming belief in the invulnerability of Linux.

Nearly every visitor accepts the need to protect Windows against malicious code (although even at a Linux fair you find people believing that a firewall is all you need to keep viruses and worms away). But many people we spoke to were unable to think of Linux as potentially vulnerable; after all, they argued, a Linux user would never go online with root rights as typical Windows XP home users do.

But such thinking overlooks some important facts:

– You don’t need to have root privileges to delete a user’s home directory of a user or access his personal data – you only need to run malicious code with user privileges. (And not every user makes daily backups which could mitigate the potential damage.)
– The number of new malicious programs for an operating system isn’t related to the number of known security flaws, but to the number of installations. In Germany, the number of Linux distributions installed is growing rapidly, and overall, the number of malicious programs for Linux more than doubled between 2004 and 2005).
– To access a system, a virus writer doesn’t need 300 vulnerabilities – one is enough.
– Vulnerabilities exist prior to their being identified by the developers who report them. Virus writers actively search for vulnerabilities, but keep their discoveries to themselves.
– Only a perfect system can offer perfect security. In his “Areas for Improvement in the 2.6 Kernel Development Process” Andrew Morton (lead maintainer of the Linux production kernel) pointed out that the number of new bugs in the current 2.6 kernel are causing concern, and might lead to the development process being halted until existing problems are fixed.

Just to avoid any misunderstanding: of course Linux is currently more secure than the average Windows installation. This is due to things like user/root separation, a smaller number of installations, and rapid reaction to reported vulnerabilities. And currently, given the relatively small number of malicious programs for Linux, installing a virus scanner is more a gesture of friendship towards the Windows users you share files with. But taking all of this, and coming to the conclusion that your own system is practically invulnerable will make it easy for malware to spread on Linux systems in the future.

Let’s take a look at what history teaches: In 2000, the VBS.Loveletter worm took just a few hours to spread across unsecured Windows computers around the world. So far, nothing on this scale has hit the Linux world. But the question is: when the day comes, will users and companies have enough time to choose and install a reliable virus scanner before their systems are hit?