M
Matt
David said:
http://www.theregister.co.uk/security/security_report_windows_vs_linux/
http://www.theregister.co.uk/security/security_report_windows_vs_linux/#myth1
Myth: There's Safety In Small Numbers
Perhaps the most oft-repeated myth regarding Windows vs. Linux security
is the claim that Windows has more incidents of viruses, worms, Trojans
and other problems because malicious hackers tend to confine their
activities to breaking into the software with the largest installed
base. This reasoning is applied to defend Windows and Windows
applications. Windows dominates the desktop; therefore Windows and
Windows applications are the focus of the most attacks, which is why you
don't see viruses, worms and Trojans for Linux. While this may be true,
at least in part, the intentional implication is not necessarily true:
That Linux and Linux applications are no more secure than Windows and
Windows applications, but Linux is simply too trifling a target to
bother attacking.
This reasoning backfires when one considers that Apache is by far the
most popular web server software on the Internet. According to the
September 2004 Netcraft web site survey, [1] 68% of web sites run the
Apache web server. Only 21% of web sites run Microsoft IIS. If security
problems boil down to the simple fact that malicious hackers target the
largest installed base, it follows that we should see more worms,
viruses, and other malware targeting Apache and the underlying operating
systems for Apache than for Windows and IIS. Furthermore, we should see
more successful attacks against Apache than against IIS, since the
implication of the myth is that the problem is one of numbers, not
vulnerabilities.
Yet this is precisely the opposite of what we find, historically. IIS
has long been the primary target for worms and other attacks, and these
attacks have been largely successful. The Code Red worm that exploited a
buffer overrun in an IIS service to gain control of the web servers
infected some 300,000 servers, and the number of infections only stopped
because the worm was deliberately written to stop spreading. Code Red.A
had an even faster rate of infection, although it too self-terminated
after three weeks. Another worm, IISWorm, had a limited impact only
because the worm was badly written, not because IIS successfully
protected itself.
Yes, worms for Apache have been known to exist, such as the Slapper
worm. (Slapper actually exploited a known vulnerability in OpenSSL, not
Apache). But Apache worms rarely make headlines because they have such a
limited range of effect, and are easily eradicated. Target sites were
already plugging the known OpenSSL hole. It was also trivially easy to
clean and restore infected site with a few commands, and without as much
as a reboot, thanks to the modular nature of Linux and UNIX.
Perhaps this is why, according to Netcraft, 47 of the top 50 web sites
with the longest running uptime (times between reboots) run Apache. [2]
None of the top 50 web sites runs Windows or Microsoft IIS. So if it is
true that malicious hackers attack the most numerous software platforms,
that raises the question as to why hackers are so successful at breaking
into the most popular desktop software and operating system, infect
300,000 IIS servers, but are unable to do similar damage to the most
popular web server and its operating systems?