Cross-platform open source threat: Is open source really more secure?
- Date: May 25th, 2007
- Author: John McCormick
- Category: Hacking, Security
- Tags: Linux, Open Source, Sophos Plc., Microsoft Corp., John McCormick
Sophos has disclosed the existence of a proof-of-concept worm (StarOfficeBadbunny) that attacks through a vulnerability in OpenOffice and other programs using StarBasic macros. According to Sophos, this is a multi-platform threat affecting Windows, Mac OS, and Linux. It is written in several scripting languages, including Perl.
While this particular threat is minor, it does illustrate a growing problem. I am all in favor of open source code, but I have never bought into the idea that it was less vulnerable to attack.
Just to start out on the right foot with open source fans, I like OpenOffice, and I often recommend it to small business clients and individuals who need Microsoft Office-like applications but don’t like Microsoft prices. I also like and use Firefox and Linux, and I recommend both as well as other open source software.
Sometimes the more security-savvy of my friends and customers say to me, “Oh, you recommend OpenOffice (Linux, etc.) because you think it is safer!” In a practical, everyday sense, yes — if you run Linux, you are less likely to be hacked.
But I feel the need to explain that I have no idea whether it is inherently safer. I’m not convinced that Firefox or Linux is actually safer than Microsoft products in any absolute meaning of the term.
We seldom hear of big threats to open source platforms, but that isn’t the same thing as saying they are inherently more secure. They may merely be attacked less often. Pointing out that they are “not being targeted as much as Microsoft” doesn’t PROVE they are less vulnerable. They may be less vulnerable, but that only PROVES that they are “not being targeted as much as Microsoft.”
Open source is certainly cheaper if you don’t need much support – although even that is highly debatable if you need to support a lot of users on open source operating systems or applications, especially if you (or they) are trying to do anything even slightly out of the ordinary. (Don’t forget training costs: How many of your new workers learned Linux and OpenOffice in school? Most of the ones I see have been trained — if badly – on Microsoft.)
Open source vs. Microsoft security is an OLD argument, but two recent developments have brought a different focus to the question. First is this multi-platform malware I just described. Second is the fact that Dell just announced it would begin selling Linux-loaded computers at Wal-Mart.
An exacerbating circumstance is that home users MAY wake up to the incredible cost of converting to Vista (and the tiny advantage) and begin actively seeking an alternative. Put the Dell name and reputation behind inexpensive Linux-based PCs in a discount setting, and they are going to sell. Add the cost of Vista (including the need for much more powerful hardware), and Wal-Mart Linux Dells may sell A LOT!
Heck, I expect to buy at least one myself. And based on that, I may recommend them to clients, but that doesn’t mean there is no potential downside. Currently, I would much rather try to secure a Linux environment mainly running mainstream open source applications, but that may change if Linux becomes more popular outside the controlled business setting.
For example, if Wal-Mart starts selling a lot of Linux boxes to home users who are then open to exploitation as zombies, we can expect a lot more directed attacks. As the target grows larger, it will become more tempting to take an occasional shot at it. And that’s when we will begin to see whether open source really is inherently less vulnerable in the real world where Microsoft operates.
Although a lot of businesses and advanced users already have Linux and use non-Microsoft browsers and office applications, I still consider this to be a hothouse environment. That is, it is running (and running very well) in a restricted and relatively safe world.
If you are supporting a Linux office, I BET your network is sitting behind a well-maintained firewall! When Linux is on millions of home user machines connected to cable boxes, it will be out in the jungle where Microsoft users get slashed every day.
So should those of us who actually use and especially support Linux, Firefox, and open source applications really be pleased to see a flood of novice users? Pride aside, is it a good idea from a business standpoint? Am I being selfish to want Linux and great open source applications to remain the favorites of relatively few users and most of them (us) highly security-conscious?
It is far from certain that non-Microsoft platforms and applications will eventually become popular and vulnerable targets for malware producers. I am fairly certain that, unless a lot of them get into the hands of home users and clueless business users, there won’t be much incentive for the bad guys to begin to explore potential vulnerabilities.
Today I’d much prefer to be in charge of securing a Linux-based office than a Microsoft office – just as I prefer strolling around in a nice, safe neighborhood where lots of people aren’t prowling the alleys out to mug me. (It’s always so annoying having to explain all the muggers’ injuries to any cops who don’t know me. GRIN.)
Keeping a good thing to yourself can be considered selfish, but in business sometimes it’s just a matter of common sense. So, while some will cheer to see Dell and Wal-Mart selling Linux boxes to the masses, I won’t be among them. I already know how to load Linux on a bare box — something that, even today, few home users are able to do for themselves.
