[huskerlug] virus, outlook security, and linux applications

>More of it has to do with the apps that run on Linux.  If someone were
>to write an "Outlook equivalent" mail program for Linux (bugs and all),
>it would allow viruses to spread almost as easy as they do on windoze.

MSIE is integrated into the operating system.  Outlook, which uses the
MSIE rendering engine by default, has a hook in MSIE, which has a hook
in the OS and kernel.  As a non-privileged user on an NT machine
(2K,XP,2003), malicious VBScript code in an email attachment can be
executed simply on receiving the email that will infect the entire
machine.  The sense of separating 'applications' from 'operating system'
is no longer possible due to the level of integration on Microsoft
Windows.  No 'one' could ever write an email client for Linux with all
of the security vulnerabilities of Outlook on MS.  However, if one huge
corporation were to hijack Linux, disregard GPL, and take complete
proprietary control over all development, hide the source code, and
starting at the kernel level rewrite code up to the application level,
then it would be possible to make an outlook/Linux nightmare.  By its
very nature, Linux has been developed from the ground up, utilizing a
much better security model than an old VAX VMS rip-off (since you are
referring only to NT) designed around a single user platform and patched
to work in a multi user environment.

>Linux (and other unix based OSes) just haven't been targeted in 
>a major way by virus writers yet.

Probably the most common argument of the Microsoft advocate, however,
this simply is not true.  Granted, Linux has security vulnerabilities
and can be exploited.  But the fact remains that the very foundation to
which Linux was built on is much more security minded as compared to any
operating system sold under the name Microsoft.

Microsoft suffers from serious design flaws, so many that no amount of
patching or updating can ever remedy them.  There is no good separation
between user-level and kernel-level code in NT.  Applications installed
by a non-privileged user can add DLLs capable of running at
kernel-level.  Windows system, application, and user data can't be
maintained separately from the operating system and from each other.  
Microsoft purposely designed Windows to prevent this from being
possible.  Installed applications are integrated into Windows, often
actually overwriting part of Windows, breaking other applications.  This
is an inherent design flaw in the DLL system, where the operating system
relies heavily on a file name only method of tracking the system DLLs.  

Microsoft products are riddled with buffer overrun vulnerabilities. 
Sure, this is true with other operating systems.  However, the
difference is that practically everything inside Microsoft Windows is a
secret; even the Windows API is only partially documented.  The Windows
Scripting Host installs in Windows 9x even if you deselected it during
installation.  If you manually delete it, the installation of another
Microsoft software product adds it back into the operating system.  In
2000 and XP you are not given the option to prevent installation of the
windows scripting host.  In most cases if you manually delete it, the
operating system puts it back.  Yet 90% of end users don't need it and
it will probably only be used on their machines by malicious code
automatically executed by operating system integrated applications such
as outlook and IE.

The secret behind overall security success with Linux, or any Open
Source operating system is the fact that it is open source.  Rather than
one huge company using vintage CP/M and continuing to build on top,
hiding the code, leaving in all the mistakes of the past and continuing
to build on top, etc., Linux source code is open and visible, always
available for review.  Some say for hacker (using the term in the
mainstream media sense) review, but that is also an invalid argument. 
No one entity controls the overall direction and Linux was not
commercially driven for profit only.  You have to examine motivation,
not advertising slogans.

Keeping application security and operating system security separated
isn't possible in a discussion regarding Microsoft.  They fused the two
in a way that will ensure endless security vulnerabilities long into the
foreseeable future.  Since no application can be more secure than the
underlying operating system with out actually heavily modifying the
operating system, no application running on MS will ever be as
inherently secure as the majority of *nix applications.  There will
always be arguments for both sides as the issue is complex so are the
facts supporting either case.  Yet, if you were connected to life
support would you prefer the system ran a Microsoft operating system or
a *nix?








----
Husker Linux Users Group mailing list
To unsubscribe, send a message to huskerlug-request@xxxxxxxxxxxxx
with a subject of UNSUBSCRIBE

Other related posts: