eWEEK.com Linux & Open-Source Center Editor Steven Vaughan-Nichols has gotten awful tired of the shopworn argument that if Linux were as popular as Windows it would be in just as much security hot water as Windows. Wrong!
In MyDooms aftermath, once more Im confronted with the old lie that if Linux were only as popular as Windows, it too would have Windows-sized security problems. What nonsense!
Yes, Linux has security problems too. Yes, by sheer count of security problems patched, Linux (not Windows) has more holes. But thats not important.
Whats really important is how serious those problems are. With Linux, the problems tend to be small and fixed quickly. With Windows, the problems tend to be larger and not fixed quickly enough. Take, for example, the Internet Explorer phishing bug
, which everyone knew about by early December but wasnt fixed
until Feb. 2.
Or, more to the point, take MyDoom itself. According to mi2g Intelligence Unit Ltd.
, a digital risk firm, MyDoom has done at least $22.6 billion of economic damage in terms of loss of business, bandwidth clogging, productivity erosion, management-time reallocation and cost of recovery.
I believe mi2gs numbers. Companies hate to talk about security problems, but off the record I know of at least five Fortune 500 companies that had to shut down their e-mail systems and desktops for hours to clean out the worm, which had clogged their e-mail systems worse than any spam blitz.
I wouldnt be surprised if most of the Fortune 500 were significantly damaged. Despite the lessons of SoBig and Blaster, security continues to be an afterthought in most companies and far too many companies rely on Windows for their desktop operating system and Outlook for their e-mail reader.
Desktop Windows built-in problems come from its history as a stand-alone PC operating system. Unfortunately, today its a networked world. Windows applications have interprocess communications (DLLs, OCXs, ActiveX) that can be activated by user-level scripts (Word macros, for example) or programs (Outlooks view window), which can then run programs or make fundamental changes to the operating system. Microsoft included this because it makes IPC very easy for Windows programs, and it does do exactly that. This is fine in a stand-alone PC where you may want to have your Word documents financial chart to change depending upon the information set in an Excel spreadsheet, but its a fatal security flaw in a networked computer.
Now, the security of Outlookwhich is by far the most vulnerable of Windows applicationshas improved significantly since the day in 2000 when ILOVEYOU was the worm of the hour and I said Outlook was a "security hole that happens to be an e-mail client." Todays versions of Outlook come with proper security settings so that a user cant start a worm simply by reading or using the view pane to look at a file. But that still leaves other problems.
Next page: Getting to the "root" of the problem.