From: Rohit Khare (rohit@uci.edu)
Date: Fri May 05 2000 - 21:38:01 PDT
>X-URI: http://www.cs.utk.edu/~moore/
>From: Keith Moore <moore@cs.utk.edu>
>To: Randall Stewart <rstewar1@email.mot.com>
>cc: "Michael H. Warfield" <mhw@wittsend.com>, Valdis.Kletnieks@vt.edu,
> Scot Mc Pherson <smcpherson@clearaccess.net>, ietf@ietf.org
>Subject: viruses on UNIX vs. Windows
>X-Subject-Was: Re: VIRUS WARNING
>Date: Fri, 05 May 2000 17:59:33 -0400
it might be useful to further examine the differences between UNIX-like
systems (including Linux) and Windows systems regarding their
susceptibility to viruses.
1. it should first be noted that UNIX-like systems are not immune to
worms or viruses. the Morris worm propagated itself via buffer
overflow bugs in sendmail and finger, and similar vulnerabilities are
probably still available to a would-be attacker. over the years many
more security holes like these have been found in UNIX systems and
exploited. we'll keep seeing such holes as long as people write
servers in C. but for some reason such attacks tend not to be viruses,
we just haven't seen many worms/viruses use these techniques since the
Morris worm.
2. the Morris worm worked with both vax and sun3 platforms presumably
because these were the most popular platforms then in use on the
Internet. today most viruses target Windows boxes presumably because
they are so popular.
3. the attacks that have been successful against UNIX tend to be specific
to a particular platform - its CPU instruction set, memory layout,
system traps, and library routines. Windows boxes are also vulnerable
to hardware-specific attacks, but they also support things like vbscript.
so there are multiple languages by which one can attack a windows box,
and many of those are commonly bundled with Windows. so in addition
to windows being more popular, in some ways you it has a more
predictable target environment (i.e. a given windows box is likely to
have more facilities you can exploit than a UNIX box) this makes Windows
a more predictable platform for software developers, but virus writers
are software developers too.
4. email-borne viruses have somewhat greater ability to penetrate
private networks because email tends to not be filtered by firewalls
(and even firewalls that scan for viruses generally are limited to
scanning for known viruses)
UNIX-based email clients are less vulnerable than their Windows
counterparts because
a) UNIX-like systems do not come with an extensive registry of content-type
-to- program mappings. nor, in general, do mail readers for these
platforms. so if a mail reader receives an object with an unusual
content-type it is unlikely to know what to do with it (other than
to offer to save it to a file)
b) UNIX based mail readers tend to rely on the MIME content-type
label and are less likely than Windows readers to "guess" how to
handle a file based on the file name suffix. MIME content-type
registrations are required to contain a security considerations
section. it may be that as a result, the content-type registry
on a UNIX system is less likely to contain definitions for
dangerous objects, than on a windows system...and therefore
UNIX mail readers are less likely to try to interpret such things.
c) UNIX systems have fewer interpreters for content-types that
can cause harmful side-effects, and such as do exist (such
as PostScript) are more likely to be invoked in a "safe" mode.
script attacks are certainly possible on UNIX - most UNIX systems
support script languages with destructive power similar to vbscript.
but it is very unlikely that a UNIX mail reader would be configured
to, say, automatically execute a perl script received in mail.
d) UNIX has not traditionally had a point-and-click interface,
so the notion that there is some action implicitly associated
with a file type, so common in the Windows and Mac worlds,
does not hold for UNIX. Indeed, UNIX has much the opposite
notion - that arbitrary tools can be applied to arbitrary files.
5. unlike many Windows-ish boxes, UNIX is a multi user operating
system with file protections. thus there is a layer of isolation
between user processes and the operating system, which limits the
degree of damage that is likely to happen. to be sure, a lot of
harm can be done by trashing or altering a single user's files,
and there may are often security holes which can be exploited
to elevate an ordinary user's privileges. but this is still an
additional barrier that must be overcome. Windows is an easier
target.
6. there is a great deal more history with security exploits,
and thus with countermeasures, on UNIX-like systems.
there seems to be greater awareness of the potential for harm
among the UNIX community than among Windows developers.
this may be because UNIX is primarily used by computer experts.
conclusion:
to some degree Windows is inherently more vulnerable because it
is a more popular platform. however it should be possible to make
Windows much less vulnerable than it currently is merely by a few
countermeasures.
- don't automatically evaluate content unless it is KNOWN to be safe
from harmful side-effects. either that or evaluate the content
only within a sandbox which prevents such harm. (this means
that you limit the content that you're willing to automatically
evaluate to a few well-understood types)
- don't offer to execute content that can cause harm unless
(a) the recipient okays it, (b) the sender's identity is
known and the integrity of the file can be assured
(via verifiable digital signatures), and (c) the recipient
is warned *each time* that the content can cause harm.
Keith
This archive was generated by hypermail 2b29 : Fri May 05 2000 - 21:39:35 PDT