---

Freshmeat: Blame the UI: Why Linux is Not Immune to ILOVEYOU-style Worms


“These days, it seems as if everyone likes a good “Microsoft is
Evil” story. I’m not going to agree or disagree with that statement
in general, but this recent (and continuing) wave of email worms
has given the media and the users plenty of room to criticize.
Largely, these complaints have revolved around a general lack of
security in Microsoft’s products — a historical truth. Adding to
this anti-Microsoft inferno does not improve Linux as a whole and I
believe that our time is better spent working towards ensuring that
these kinds of attacks can never happen on Linux.”

“The Linux kernel has an excellent reputation for
security-conscious computing. Security bugs, when found, are
squashed exceedingly quickly. Linux’s low-level security is based
on the classic UNIX model of users and groups. In brief, this
ensures that one user can never harm another user’s files or any
system files without explicit permission. Additionally, Linux
ensures that no user is capable of denying service to any other
user through crashing the machine, resource depletion, or a number
of other more subtle approaches. There is currently work being
performed to add a “capabilities” system to the kernel to make it
even more fine-tunable. This model is good and very powerful,
but it does not and cannot protect the user’s own files from
himself or application stupidity.”

“The security bugs currently being seen in Microsoft Outlook
are of the latter variety: application stupidity. One does not
necessarily need to be running under a Windows environment to write
or use stupid applications.
… Of particular concern are
either programs that are regularly granted administrative rights
(such as an X Server) or programs that deal with untrusted data
(such as your Web browser or email client). As Linux does not have
any internal conception of “trusted” vs. “untrusted” data,
application programmers must be fairly smart about it. Microsoft’s
Web browser manages to deal with this dilemma at a high level, but
obviously wasn’t ingrained enough to uniformly combat the problem.
On the Linux side, it will be up to the GNOME and KDE development
teams to make sure they deal with this issue, as they will be
Linux’s flag-bearers into the future.”

Complete
Story

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis