Linux security

Stephen R Laniel steve at laniels.org
Fri Apr 28 23:39:14 UTC 2006 

On Fri, Apr 28, 2006 at 11:36:05PM +0100, Daniel Carrera wrote:
> Let's not get lost on the definition of virus. I'll happily use the word 
> "malware" if you prefer. I'm looking at how Linux addresses security 
> threats.

There's a reasonable question about whether Linux can be as
usable as Windows while still being secure. E.g., maybe
auto-executing attachments is what people want. It would be
a bad idea to incorporate this, but there's no reason in
principle why Linux wouldn't. Which is to say: there's a
large class of vulnerabilities that have nothing to do with
the OS, which can pop up because application developers make
stupid decisions.

There's a large class of vulnerabilities involving improper
sanitizing. For instance, I believe Firefox was vulnerable
to malicious Javascript code inserted into the CSS
'background-image' attribute. (Something like that.) The
browser should have removed Javascript from there, but it
didn't.

Now, Firefox isn't as tightly integrated with Linux as IE is
with Windows. When this sort of thing happens in Windows, it
affects large swaths of the environment; for instance, I'm
pretty sure IE controls are used to display the file-info
pane in Explorer. So when someone discovers a bug in IE, it
has a much wider effect under Windows than it does under
Linux.

Which isn't a defense of Linux. It probably would be a good
idea for more applications to use embedded Gecko controls;
if they do, and someone discovers a bug in Firefox, that bug
will damage much more stuff.

Point being: the main thing that's probably keeping Linux
more secure is a tradition of 'small components, loosely
joined.' It's a tradition that we're secure, not a technical
guarantee.

You seem to be looking for a guarantee. You're not going to
get one.

-- 
Stephen R. Laniel
steve at laniels.org
Cell: +(617) 308-5571
http://laniels.org/
PGP key: http://laniels.org/slaniel.key
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20060428/961ad176/attachment.sig>

More information about the ubuntu-users mailing list