Linux's Greatest Strength: No One Uses It
An Ubuntu user published a piece on his blog last week about using .desktop files to deliver malware under Gnome and KDE. He exposes a serious problem that serves to remind over-zealous free-software advocates that Linux, like everything else, has flaws. But in a world where Linux market share remains negligible, do these flaws translate to a decline in the actual (rather than theoretical) security of a desktop Linux system?
The attack method outlined by the blogger is pretty straightforward–you don’t need to be a Linux guru to carry it out–and represents a design flaw, rather than a bug, in both Gnome and KDE.
A little background
Briefly, the exploit involves inserting malicious commands into a custom .desktop file, the format used in Ubuntu and Kubuntu to define desktop launchers and auto-start programs. The attacker then tricks a user into double-clicking the .desktop file, which can be disguised to appear innocent. This method can be used to execute arbitrary code, and even without root access, a malicious script can easily ruin someone’s day by deleting personal files, sniffing passwords and so on.
Of course, the attack depends on tricking the user into clicking the malicious file, and is thus not as serious as threats that deploy themselves automatically. Even so, this is a significant vulnerability that developers have known about since 2006 but have failed to address, which is a bit embarrassing to the Linux community.
The relevance?
This exploit dispels the myth (if it ever existed) that Linux is invulnerable to attack because of superior design. It may be better designed than Windows, but it–or, in this case, its most popular desktop environments–clearly have flaws, and developer ambivalence isn’t helping.
But I don’t think that design flaws really matter at this point in the evolution of Linux, because the chief ingredient in Linux security, at least on the desktop, has nothing to do with Unix privilege management. It might not be pleasant to admit, but the reason that no Linux malware has ever been released “into the wild” is not that Linux is impossible to attack. Like anything else, it has holes that can be effectively exploited by anyone with enough motivation and resources.
Rather, obscurity has been the key to keeping desktop Linux secure for the last two decades, and will remain so for the foreseeable future. An operating system that enjoys less than 1% market share on desktop computers doesn’t offer much motivation to attackers. That fact, as much as anything else, is why Ubuntu users can surf and read email with impunity, at least for the time being.
As long as Linux remains unpopular, Ubuntu users have little cause for concern. And let’s not delude ourselves: the Year of the Linux desktop remains beyond the horizon. We’re not going to rival Windows for market share any time soon.
After all, even Macs remain relatively free of malware attacks. The frequency of exploits targeted at them has risen steadily over the last few years; even so, with Apple’s market share currently ten times higher than desktop Linux’s, malware has yet to become a serious issue for most Mac users. This advantage results from the low popularity of Macs, not an ingenious security system.
To preempt some criticism: the argument has often been made that Linux does in fact present a sizable target to crackers because of its popularity on servers. That’s true. But the sorts of exploits aimed at Linux servers don’t translate easily to the desktop. Hacking ssh or Apache daemons isn’t going to get you into the personal computers of many Ubuntu users. You can’t lump server and desktop market share together.
Lack of standardization: an advantage?
The variability of Linux systems is also an asset. Unlike OS X and Windows, desktop Linux is very unpredictable in that the sub-systems upon which it depends are numerous and interchangeable. An attack that works in Gnome and KDE would likely fail under other desktop environments, for example, and an exploit based on flaws in yum, the package manager for Red Hat and Fedora, would be irrelevant to users of Debian-based systems, which use apt.
In many respects, lack of standardization presents a problem for Linux, but when it comes to security, it’s a strength.
Conclusion
It’s time for the free-software community to admit that obscurity and variability, at least as much as careful engineering, are behind Linux’s solid track record on the security front. This doesn’t mean that Linux isn’t better designed in some respects than other operating systems, but implications that it’s somehow immune to flaws are pretentious and fallacious. The free-software community needs to deal honestly by recognizing these facts.
WorksWithU is updated multiple times per week. Don’t miss a single post. Sign up for our RSS and Twitter feeds (available now) and newsletter (coming in 2009).
EXACTLY WHAT I HAVE BEEN SAYING THIS WHOLE TIME!!!
http://lostthetech.com/2009/01/why-apple-and-linux-dont-matter/
The reason why linux is safe is cause no one “cares”. Why would you hit up linux when they own 1% of the market.
Lord… someone finally gets it.
Holden: I’m glad we agree, but just to be clear: I wouldn’t say that Linux (as your post’s title suggests) “doesn’t matter,” just that its seeming immunity to malware is due to a large extent to its low market share. This doesn’t mean that Linux doesn’t have stronger security mechanisms than Windows, or that no one should use Linux, or that it doesn’t deserve more market share. I just think we should stop pretending that better design alone is responsible for the security of Linux desktops.
I think there’s a problem in saying that “Lack of standardization [is] an advantage”. Usually, Linux and OpenSource people try to push open standards and interoperability. So that may be true that “Lack of standardization [is] an advantage” but it is not at all a good thing !
I think you are missing an important point here. Not only are huge organisations using Linux, such as the entire French Government and the entire Spanish Government, but they both standardise with Ubuntu.
Are you saying that malware and virus writers wouldn’t like the kudus of bringing down an entire Government?
I don’t agree. The “attack” requires a download to the desktop (it doesn’t work elsewhere as far I can tell) and then a double click on said download. That’s hardly a threat, as most distributions save files to the home directory and not the desktop.
Anyway, that’s only part of the point. You might be buying Get the facts campaigns that state linux use at 1%, but developing nations are far beyond that point, as wel as several goverments outside the US. Linux might be obscure in the US, but it’s getting a lot of attention elsewhere.
I don’t think it’s obscurity that makes it difficult to make a succesfull attack on GNU/Linux. Diversity plays it’s part, I agree, but what really makes it hard is that in the time you take to study a flaw and implement a nasty program, someone else submitted a patch that corrects the problem and you need to start again.
The account management and the sthrenght of the builtin firewall modules add another layer of complexity.
So, it’s not that it’s impossible to write viruses for Linux, it’s just that Windows is far more convenient and easy, so most virus writers are specialized.
I think that your article is misleading and has several false assumptions.
The majority of internet servers and mid-to-large enterprises use Linux. I don’t think that targeting personal computers is more rewarding than targeting servers and workstations, but it is simply easier. This would be the reason why hackers put more effort into writing PC malware. Windows is also easier to exploit than any other OS, and this means it takes less time and effort by a cracker compared to *nix and Macs.
Your whole argument has been around for a long time and it’s been pushed by Microsoft’s advocates for years.
Finally, no security architecture will be able to protect a user against his/her own irresponsible behavior. I don’t think that your example is specific to Linux in any way. If a user willingly activates a malicious code, it will impossible to stop because this simply means that the computer will have to choose which human actions are safe and which should be blocked; which means either a super A.I. system from a Sci-Fi movie or an annoying and blind implementation like Windows Vista UAC.
Running executables form untrusted third parties is now a flaw how?
If a user cannot be educated to not run applications from a untrusted source then all hope is lost. I don’t know how one can put the blame on the Operating System.
Just like so many of your articles lately, this one is poorly thought out. Paul points out what should have been obvious to a child. There is no system in existence that does not allow you to run an executable — or that magically identifies every bit of malware as malware and then keeps you from executing it.
So you happily slip off into MS FUD and miss the entire point — that the result of executing this malware is limited on a properly configured Linux system while configuring a Windows system in that manner has traditionally been difficult. UAW is one way Windows addresses a flaw that Linux doesn’t really have. That flaw would allow such an application to do serious damage to the entire box. Even with UAW if you “trick” the user into clicking on continue, you’re toast!
To point out just how stupid it is to think uncritically of some “Ubuntu user” post, consider what the guy calls a virus.
Your first clue should have been that Fedora said the method this guy uses is “well-known and expected behavior”. To be sure, executing scripts and executables is central to any OS.
Your next clue should have been to read the user comments.
“but what really makes it hard is that in the time you take to study a flaw and implement a nasty program, someone else submitted a patch that corrects the problem and you need to start again.”
This problem has been known since 2006 and nothing has been done about it. http://lwn.net/Articles/178409/
The “bugs are always fixed promptly” myth is just as harmful as the “systems based on Linux are inherently secure” myth.
I’m that “Ubuntu user” who wrote the original article. Some commenters here missed the point. Completely. It’s not about ‘sending a script and asking the user to execute it’. Indeed, if that were the case, it wouldn’t be much to talk about.
The real problem is that something that looks exactly like a normal text/image/whatever file is more than what it appears. Doing normal and expected things with it (like clicking on the text file to open it) result in unexpected things. People who comment here should read the article first before posting, really. It has nothing to do with ‘making the user do unusual things’, or ‘user stupidity’, or ‘running executables from untrusted parties’. Besides, in the form of an email ‘virus’, it most likely would come from people you DO trust. Please, people, think!
Secondly, it DOES work in other folders as well, not only the desktop, and it does work even without the .desktop extension. Again, read the article: There is a link to a follow-up that explains this.
Finally, if someone here is still hung-up about the technical subtleties of the term ‘virus’ vs. ‘malware’, etc.: Please, get over it! Sure, I should have been more careful with the choice of words here. On the other hand, if you are trying to dismiss the entire point of the article based on that one issue you are doing all of us a disservice. Don’t distract from a very real issue, which can have an impact on a lot of organisations that are rolling out Linux on a large scale (to non-technical users!) and hope to achieve better desktop security.
As some one already pointed out: Linux is and has for years been a very good target. Linux servers are up running with very little little downtime and are for obvious reasons a better target than the continuously changing and unreliable park of desktop computers. Desktop Windows computers are plenty and have been pretty easy to compromise. Money is the what counts today, not playful fame as in the past of “good” hackers. If you can get a Linux server to do the “job” you’ve got a far better working horse and a more powerful tool in accomplishing whatever goal you have.
You might debate this from a narrow-minded Gnome/KDE perspective and forget about the harsh reality outside of our cosy home environments, but it doesn’t make the arguments stronger. Linux servers have flaws as all operating systems but something must be done right since the only “successful” virus until this day can’t get administrative privileges by itself and even with such it only opens a back-door that has to be exploited by brute force.
But you’re probably right, it’s all pure lack and a result of hacker-stupidity.
…
The above said: Linux shall never allow itself to become complacent since the level of skill rise and the money at stake becomes greater. Complacency is probably worse, but these claims about “Linux is just safer because of its obscurity” (obscurity? how might ever the most transparent operating system available today become obscure?) aren’t any better from a quality point of view.
You guys just don’t get it do you.
Linux is no more secure than the next OS, the only reason you all “believe” so is because you don’t have any market share.
“If a user cannot be educated to not run applications from a untrusted source then all hope is lost. I don’t know how one can put the blame on the Operating System.”
In the users eyes, it is the operating systems fault. You guys are wrapped up in your own world that everyone should know what to click and what not to click on. Your thinking to much like the “geek” not enough like the average joe consumer.
If everyone knew what to aviod then hey! We would all be virus free, so using that argument technically means that you can’t place the blame on windows, its the users fault… right?
Think both ways, not everyone is in your world.
“Your thinking to much like the “geek” not enough like the average joe consumer.”
Lol… I use Linux just because “average joe” doesn’t…
Linux – From Hackers for Hackers…
Now, let us play with our toy, go back to your cave
and buy that antivirus software…
@ Holden Page
Thinking both ways is good and its absolutely possible to run Windows without being infected by viruses, I know since its my work to assure that that’s the case. Yes, Linux users tend to exaggerate the dangers of using Windows, but to negate every technical advantage just because of user stupidity is stupidity by itself.
Of course your so called geeks are more aware and interested in the technical aspect of software, but we find these geeks (am I a geek?) both in Linux and Windows userland. Anyway does a bigger share of geeks make it less safe for average joe? No, these arguments are nothing else but a mute point. For stupidity there’s only one cure: disconnect the cable and never attach any kind of portable media to the computer. By the way: would the latest, and possibly worst in many years, virus catastrophe on Windows be possible to reproduce on Linux? Illustrate how to accomplish that on Linux and I might reconsider my view. Or show how the UAC issue in Windows 7, when a script by itself could elevate its privileges to administrator if not UAC is set to highest level (don’t say “Windows 7 isn’t ready!”, because this is a fundamental design issue)?
Average joe will click on more than he should, no doubt about that. This only emphasise the advantages of the unix model. Since when did it become unimportant to have a more secure base structure instead of building layers over layers around the system to possibly accomplish the same thing?
I saw a much more constructive approach some time ago when Adam Williams used his blog to learn users some simple truths about the /home folder and what precautions to take. I’ve learnt and in a healthy way “scared” some first time users of computers to understand what good computer habits are. Some of these use both Windows and Linux, even though Linux has become the first option for most, and they have successfully without security issues run those systems for years.
By mindlessly declare that Linux is just as unsafe (that’s how average joe would understand it) we would encourage them to not even consider Linux as an option, even though we know the advantages. Very clever, indeed! So yes, think both ways about the argumentation is a good practise unless you want to shoot yourself and your neighbour in the foot.
I disagree.
I believe that if the linux is popular it will be also more secure !
Because it is open source !
Every company that uses linux for mobiles,server and desktops will give a huge attention for security flaws !!!
Because with open source every one can communicate even the bad guys but they are less from good guys !
OPEN SOURCE EVERYTHING !!! WILL SAVE THE ECONOMY AND ECO SYSTEM !
Who ever said malware wasn’t possible on Linux? Here.
http://www.pastebin.ca/raw/1341601
Bingo, just deleted all files in your home folder. It’s not a security fault of Linux that you can deceive users into running malicious code; rather it’s just the coder being a dick and the user somewhat uncircumspect.
While it might be advisable to make .desktop files more prominent and limit user autorun changes for non-admins, this debacle does nothing to impinge the Linux’s reputation for security.
Unbelievable comments.
It is possible to run a file in Ubuntu which hoses the home directory. It is also possible to trick a user into entering their password to execute malware with superuser privileges.
How then, from a technical perspective, is Windows less secure to malware since UAC was introduced (Ignoring the hoo-ha about the Win7 privilege elevation)? I can think of one or two ‘advantages’, but hardly enough to tell a new Ubuntu user not to worry about security.
And to say the prominence of Linux servers in industry means home computers should be as vulnerable is rubbish. Ever tried exploiting a GNOME vulnerability in Ubuntu server edition? Different flaws and points of weakness exist in both, and an Ubuntu server requires a different method of attack (google “Debian SSL flaw”) which would be useless for the majority (not all, I know) of home users.
gt; It is possible to run a file in Ubuntu which hoses the home directory.
Hm, truth is you can do the same thing in Windows; I used the os module so I believe the exact script will trash your Documents and Settings (I wouldn’t test it though).
The point is that when you run malware, IT CAN DO SHIT TO YOUR MACHINE. How do detractors propose Linux defend users from running code that deals with their own files? You might as well accuse Linux for being insecure because running commands as administrator can cause damage if you’re not sure what you’re doing.
The point being: malware of the “trick” sort can and does happen on every platform. It’s all in the confines of expected behavior. However, on Linux you’re generally secure unless you fling open the gates yourself, which is more than can be said for certain other platforms.
@Holden Page
Market share doesn’t say anything about how many linux users there is.
So how does that malicious .desktop file get onto the users PC in the first place?
Vulnerabilities should be addressed when found whenever possible. But there’s a pecking order. This vulnerability requires something more serious to go wrong first. There are likely more serious bugs or flaws waiting to be fixed.
And who ever bought into the myth Linux was invulnerable anyway?
Why hide the executable as a dot file?
You can execute any file… simple “sh hackfile” you don’t need to put a dot in front of it, and it doesn’t even need to have execute permissions the “sh” will try and run any file. no different to windows really.
And It’s not a vulnerability. If you get a file to be executed by a user, its going to do stuff. Its that simple.
The point is, only the single Linux user’s files can be compromised. Not the whole box. If its a Windows box the whole machine would be turned into a zombie.
Linux is much better than windows for real security. Because Lunux’s superior security applies to the package management and applications. The time to fix serious vulnerabilities is mush shorter than windows, and includes applications where windows has many third party applications unsecured.
And because “NO” Linux system files can be compromised by the user, it will seriously limit the spread of mallware. Windows on the other hand would be part of the bot-net in the sky, given the same circumstances.
You need to take security seriously. Linux is better at it than windows.
Just read the article in the link. Think I’ll that out and see how it works. But honestly, you can only have so much security before it gets in the way.
What is not “gotten” here is that this user doesn’t know what he is talking about. If he did, he’d know why this isn’t a virus. If you just “get over it” and think of it as an unfortunate choice of words, then your missing the real clue here.
In the article he says “It has nothing to do with ‘making the user do unusual things’, or ‘user stupidity’, or ‘running executables from untrusted parties’.” Well we could quit quibbling about who sends what, we all know that friends send unsafe links and attachments all the time, and we also know that spammers do as well. In fact one of his premises in the article is that a spammer could say something like “Whoa, check out these nude shots of…! (if the attachment doesn’t want to open just save it to your desktop and open it…) ”
Yes users can be tricked into opening things they think are images and yes those things could be executable. As this guy points out “this is the second big hurdle we need to overcome – for the file to be executable under Linux (or any other *nix OS), the execute flag would have to be set in the permissions of the file.” He then goes on to point out that most email clients do not set this bit and that you could create a launcher that would allow attachments to be executed.
As you can plainly see, users can do things that are unsafe because they don’t often see the potential for misuse. I can’t stress enough here, the only flaw here is the user’s lack of understanding what they are getting themselves into. Certainly pointing out that this is an opportunity to make it clear to users that they could get themselves into trouble would be laudable — but you’re not likely to get there calling it a flaw and a virus. Nor will you by restating FUD.
What was been done in the article–the steps you’d have to take to make this work–is not the normal configuration of Ubuntu or any other distro I’ve used–and there are plenty of reasons for that. Calling it a flaw is like saying that being able to run as root is a flaw. That is both an unfortunate choice of words and misleading–wrong in fact. Had he started out calling for better warnings to users of things like this, I would be applauding him.
So in the end is Linux perfectly safe–your not that stupid are you? Of course not, nothing is. Is it safer than other OS’s? Well it has been so far but happily the gap is closing. Windows and OSX code is not viewable by users and so flaws are not all that easily discoverable–that could be a dual-edged sword. Is Linux’s safety a result of its lack of use? Certainly to some extent that is true, but it is even more a result of architecture and a community that is open by nature.
gt;The point is, only the single Linux user’s files can be compromised. Not the whole box. If its a Windows box the whole machine would be turned into a zombie.
I’m pretty sure that since UAC was introduced, this example is somewhat moot (XP users are superusers by default, but it’s 2009, people.) Tell me if I’m missing something.
I wanted to make this a separate comment so as to not get the two issues of Foobar3001’s flawed argument and what makes a system exploitable mixed together.
IMHO, and in the opinion of many others likely to read this I’m sure, Windows is a competent OS as is OSX. Both garner large user-bases because of ease of use–and this is one reason Linux hasn’t been able to make a much of a dent in the market.
Ease of use is also the reason most systems fall prey to malware. If it weren’t easy for example for a user to email an application to another user who could then easily execute it then we wouldn’t have many of the problems we have today. Why do most users of Windows run as Administrator? To make it easier to install that new application they just found on the interweb.
Linux’s “charm” or the geek quotient needed to enjoy using it is one reason it has escaped the level of exploitation that the other systems contend with so much. So the assertion that Linux’s greatest strength is that no one uses it is wrong. Perhaps you could say its greatest strength is that its harder to use, but you’d still be ignoring a whole host of other strengths vying for “greatest” honors.
Consider as an example the humble package manager–there is some inherent strength in having all your software in a repository in the manner that Ubuntu does–it is more secure, but would that exist if installing software were easier? I don’t think so–chiefly because package managers more-or-less grew out of difficulties in installing software and using the OS.
There is a reason some things are hard. Now get your mind outta the gutter.
I am no security specialist, although I have had to clean up messes on other people’s Windows computers. The principle of least privilege has worked well on Linux. This doesn’t lend immunity Linux. The reason is that the Human is the weakest link in computer security. Social engineering attacks are the easiest way to break a system. The kind of people that run Linux are immune to these attacks, right? Truth be told a large percentage of the population in general is susceptible to social engineering, which is what makes the desktop launcher attacks that much more dangerous. For example if I want to end your career I could send you a real shocker that runs the shred command against your home directory and any path you have rights to. I could use use your computer to spam the rest of your organization so that everyone else can run the same command. There are way too many exploits against unix/Linux based systems out there to fail to plan for security. With Linux I have been root-kited, I have seen Java and JavaScript spam engines that take advantage of running mail servers installed by default in Linux, and many more. No one on the Internet is your friend. You don’t even have to go to pron and warez sites to get burned any more.
We are all vulnerable to social engineering, and it only depends on the sophistication or the simplicity of the approach. The thing about the average Linux set-up, as compared with the equivalent Windows (1) is that it is harder for the naive user to exercise superuser powers; (2) harder to download malware, for all updates are only easily sourced through repositories; and (3) hard to load rogue programs for new software is easiest to obtain from those same repositories.
After reading this a dozen times to find the disconnect I think I understand that this is a flaw–that is IF I understand it correctly.
If he is saying that you can email launchers to people, then I understand and appologize.
I’m going to return to this one last time as I’ve thought the disconnect through several times and I want to address one point I alluded to earlier–that is how things are said can go a long way to garner support for your ideas.
I am not the greatest reader for comprehension, but I’m far from the worst also. The same remarks could be made for and against my writing. But there are two concepts that have been drilled into me over the years–BLUF and KISS.
BLUF–Bottom Line Up Front–and KISS which I’ve modified to “Keep It Super Simple” in order to be more positive are not new concepts. Both of these concepts are filters I try to use to trim down my natural temptation toward wordiness. On re-reading most of what I write I try to look for the following pattern: Tell ’em what I’m gonna tell ’em, tell ’em, tell ’em what I told ’em. That is to say summarize my point, add detail to make the case or prove my point, and restate in summary fashion.
To be sure, I don’t always catch myself, but when I do, I end up with a better product.
As an example, consider how Foobar3001’s post would have worked if the first paragraph were similar to this:
I have discovered a flaw in how launchers work that could allow a virus to be launched automatically on downloading one disguised as a harmless attachment from an email, or file from a website.
Followed by a second paragraph that started similar to this:
Launchers do not need the execute bit set in order to launch their payload…..
I’m not trying to tell anyone how to write here, or make excuses for missing Foobar3001’s point in his post, but I am trying to point out that how you write could have something to do with how you are understood.