I’ve just been sent some quotes from Mickey Boodaei, CEO of Trusteer, which caught my eye. It’s a response to the story that Google is directing employees not to use Windows because of security concerns.
Boodaei says that while switching from Windows may reduce the prevalence of common malware, it will not protect against “targeted attacks” – in other words, attempts to penetrate a specific network to steal data:
Enterprises that are considering shifting to an operating system like Mac or Linux should realize that although there are less malware programs available against these platforms, the shift will not solve the targeted attacks problem and may even make it worse. Mac and Linux are not more secure than Windows. They’re less targeted. There is a big difference. If you choose a less targeted platform then there is less of a chance of getting infected with standard viruses and Trojans that are not targeting you specifically. This could be an effective way of reducing infection rates for companies that suffer frequent infections.
In a targeted attack where criminals decide to target a specific enterprise because they’re interested in its data assets, they can very easily learn the type of platform used (for example Mac or Linux) and then build malware that attacks this platform and release it against the targeted enterprise.
The security community is years behind when it comes to security products for Mac and Linux. Therefore there is much less chance that any security product will be able to effectively detect and block this attack. By taking that action the enterprise increases its exposure to targeted attacks, not reducing it.
This sounds plausible, though there are a couple of counter-arguments. Windows has some flaws that are not present on Mac or Linux. It is still common for users to run with full local admin rights, even though user account control in Vista and Windows 7 mitigates this by requiring the user to approve certain actions. On Windows, it’s also more likely that you will have to give elevated rights to some application that wants to write to to a system location; there’s a specific “Run as administrator” option in the compatibility options.
Further, I’m always sceptical of statements from the Windows security industry. Are they simply trying to protect their business?
Still, I’m inclined to agree that switching OS is not a silver bullet that will fix security. Take a look at this recent report of malware-infected web sites offering tips for a current hit game, Read Dead Redemption.
The attack is essentially psychological. It plays on the common knowledge that Windows is vulnerable to malware, informing the user that malware has been detected and they must clean it up by running a utility. The utility, of course, is in fact the malware. The chances are good that the user will consent to giving it elevated permissions, once they have been taken in. In principle this kind of attack could work on other operating systems, except that the user might be more sceptical about the presence of malware because it is less common – a rather frail defence.
How about Ars Technica as a source, instead of Trusteer, then: Mac OS X and Linux are no magic security bullet for Google?
Just take a look at the PWN2OWN contest results, and you see that Google switching away from Windows is pretty much a forlorn hope. The next Aurora style attack on Google will exploit Safari, or the Linux kernel.
And you are misunderstanding UAC. Straight from the horses’ mouth:
Source: Understanding and Configuring User Account Control in Windows Vista
“Run as Administrator” in the compatibility settings is not a way to grant applications write access to system locations, but to get applications to function if all else fails. It is, more or less, a more convenient way to use Win 2000’s or XP’s “Run As…” command for quick elevation (and to remove the necessity to right click an executable and say Run As Administrator explicitly every time the executable is launched).
Thanks for the comment Phillip
Don’t think so, though I agree it’s a complex subject. File and registry virtualization is part of UAC, but not the whole of it. I’m talking about the consent dialogs. And Run as Administrator does grant applications write access to system locations – that’s one of the reasons it works – even though it is intended (as you say) for last-resort compatibility.
Tim
Any org that was seriously concerned about security, and ran Windows clients, would have them on Vista as a minimum (to get UAC), have UAC dialed up to the max setting, and run users as standard users. Running as standard would force over the shoulder elevation rather than the admin approval dialog.
It’s just not fair to compare well run Mac/Linux sites with poorly run Windows sites. You say, “It is still common for users to run with full local admin rights”. Well, surely it would be easier to run as standard user than to migrate to a different OS!
tim, my mistake.
I thought I made it clear that Run As Admin wasn’t a way to grant read/write access to protected directories, but that this access is a fringe effect (I won’t call it ‘benefit’ since it isn’t necessarily a benefit) of running something with full Administrator privileges (since not even the Administrator group is allowed access to certain system directories under Vista/Win7 by default, IIRC, like the directory where System Restore points are stored).
I agree – but it does cause additional friction.
Tim
Of course it creates additional friction: Security and usability are always trade offs that have to be made.
For example, that HR can access payroll, but not the in-house developers for the payroll application creates friction, but this partitioning is necessary to maintain privacy and security of data.
In my own experience, using Windows with a normal user account creates friction whenever I want to check on system settings that are in any way global, and I have to resort to “Run As Administrator”, or pass an elevation prompt. But the pay off is worth it, since the attack surface of my machine is reduced (my user account can be compromised, but not the whole machine).
In the end, any OS will be vulnerable, but it can be secured, too.
I am not entirely sure what you are getting at Tim. I agree with both the statement of Mickey and the other commenters. To change OS as a strategy to avoid targeted attacks or get more secure is a hope at best. Google is a clever enough IT company (at least I think so) to know this, I can’t believe they are changing OSes for this reason, it is more a marketing statement playing on people’s notion (although poor notion) of security, if it wasn’t, I guess Google isn’t as apt IT company as one would think.
Also I don’t see why Google remains on XP, I guess they can’t see through the negative hype of Vista either to find the benefits in security and OS setup/lockdown, I find that not so plausible either, most likely another marketing statement.
Actually both Mac/webkit and iphone are fairly known to be quite open for targeted attacks, so changing to MacOs does, if so, not seem like such a clever idea at all, either way I won’t get into an argument into which OS is more secure, it has more to do with the user and the setup than the OS.
Also I don’t understand you comment about friction, or you implying there is less friction going from XP to Mac/Linux for a user than upgrading to Windows 7 or just run XP as a normal user?
Also Sudo exists in both environments, most popular desktop shells have ways to “run as administrators” by right clicking, sudo prompts open up asking for passwords, it is all very similar.
I have barely any need for an admin account on my machine once everything is setup, there is no friction at all for normal day use, especially when the desktop you are running is IT managed, this goes for Linux, mac and windows.
If you are not locked down all OSes have the exact same potential for disaster and it is all up to the user. You more or less need admin/sudo approval in the same scenarios on all platforms.
Adding to that windows ACL/DACL system allows you to lock down your system in ways you cannot achieve on Linux/Mac, where even an elevated user account part of the administrators group can’t touch certain areas.
sudo:ing as root gives you complete access on the other hand.
And in the end, linux and Mac has flaws not present on Windows, and as they have been subjected to less attacks it would actually be more logical to conclude that the windows immune system is stronger.
Why would a user suddenly grow a sense of security for changing OSes and be more skeptical? If they are asked to type their sudo password they will type their sudo password in any OS if it is in the way of them getting things done.
Either way, I agree more with Mickey than you.
@Niclas
I agree with Mickey too, that’s what the post was meant to convey. But I guess you are objecting to my counter-arguments. Of course I can’t speak for Google and its decisions; the question I am interested in is the relative security of Windows vs other operating systems. Hard to pin down because there are so many factors including how well the system is managed overall. However I do think that legacy apps and sloppy Windows culture are still a problem; an avoidable problem, but one I see frequently. That said, your points are good ones too.
Tim