Linux Vulnerabilities Spur Enterprise Warning

Recently, the U.S. Computer Emergency Readiness Team, or CERT, reported that during 2005, Linux and Unix combined had 2,328 vulnerabilities, compared with 812 vulnerabilities for Microsoft Windows.

Since their release, these statistics have had their share of detractors, especially in the open-source community (see related story, "CERT Stats Under Fire").

But a separate query of the National Vulnerability Database (NVD)--maintained by the National Institute of Standards and Technology--yielded similar results: During 2005, there were 119 vulnerabilities reported in the core Linux kernel--the one used by all the various Linux distributions, says Peter Mell, the database's main administrator. This compares with 61 published vulnerabilities for Windows XP, according to the NVD.

Moreover, the trend appears to be going upward. The 119 vulnerabilities found in Linux during 2005 compares with 47 in 2004, 16 in 2003, and 11 in 2002, Mell says.

Security experts advise against getting too hung up on the specific numbers, because there are different methodologies of counting in the open-source community versus in an individual vendor such as Microsoft, and there are various levels of security problems that are defined a bit differently from one organization to the next. A Novell spokesman, for instance, says that during 2005, his company released 71 "security advisories" for SuSE Linux Enterprise Server and issued another 30 summary reports with security issues of various levels of severity. All issues have since been patched, he says, and data from Secunia, an independent firm in Copenhagen that tracks security vulnerabilities in more than 6,500 products, backs up that claim.

Enterprise Users Cautioned

Still, security watchers say the numbers do point to a trend that business customers should at least be aware of.

Most enterprise customers pay for supported Linux versions and related applications from established vendors such as Red Hat and Novell, which ensure that their products are free of major security problems and quickly patch any that do appear. In the case of Red Hat, it's also ensuring the security of, and providing patches for, the third-party Linux application stacks it's now selling, says Michael Ferris, director of security products for Red Hat.

Still, even that doesn't mean a business is completely out of the woods regarding Linux security.

Customers might well be using a Linux-based, network-connected multifunction printer that hasn't ever been patched, for instance, or have on their network an obscure tool found on a Web site that a programmer is using unbeknownst to everyone else--and that can create an open door that leads to huge problems. "All it takes is one mistake to open the entire enterprise up," warns Alan Paller, director of research at the SANS Institute. Many corporate print and fax Linux appliances, in particular, are ignored until something happens, "and they're never patched," he says.

Jamie Haughom, an independent security consultant, says another problem is that operating systems, including many Linux distributions, are shipped with key security features turned off. This is to ensure that applications can run, as much as possible, without incompatibilities. That means it's up to enterprise customers to ensure that their administrators are expert in setting up encryption levels, creating VPNs to send and receive files, and using tools to audit for adequate Linux security.

The good news, he says, is that "Linux comes with everything you need to be secure." And there's a wealth of information available on the Internet to help; so it's up to users to educate themselves.

Up to this point, Linux has been spared from most of the serious worms, viruses, and denial-of-service attacks that have plagued other products, especially Windows. Security experts say that's because Linux has been mostly a server phenomenon, and server administrators are much more savvy than typical end users about security issues. Put another way: malware creators most often enter corporate systems by means of the desktop and, according to Gartner, 96% of desktops worldwide are running Windows.

But that may change. As Linux becomes more widespread within corporate America, it's likely only a matter of time before an evil cracker decides to target the environment. "It's like Willie Sutton," the thief who went after banks "because that's where the money is," says Michael Goulde, open-systems analyst at Forrester Research. "As Linux becomes more popular, it becomes a more attractive environment for hackers."

Linux Use Growing

Linux is becoming more widely used in nontraditional areas, including CRM and ERP, particularly in medium-sized firms, Goulde says. Renting Linux and associated applications as a service is another area he expects to see grow, and financial-services and health-care firms are already well-entrenched Linux users, he adds.

Dan Kusnetzsky, an operating system analyst at IDC, says that companies "have started incorporating Linux into their IT planning cycles," moving way beyond the early-adopter phase. "So the early Linux pilot projects are now deployed," and shops are "assigning other tasks beyond those originally planned," he says. In this way, Linux is following the growth patterns seen in both Windows and Unix before it.

Michael Silver, a Gartner desktop analyst, says Linux for end users is growing very slowly here in the United States, where it still represents less than 1% of all desktops. Its use outside the United States is more widespread, especially in areas including Eastern Europe where "there's less of an installed base of Windows, they need less expensive alternatives, and they don't have the legacy and compatibility issues we have," he says.

As the popularity of Linux increases, some question whether the open-source development model will continue to serve Linux well from a security perspective.

David Humphrey, a senior technology adviser for consulting firm Ekaru, says he still believes that Linux is among the most secure operating systems available today. He says he still stands by that belief, as espoused in an interview that ran before the CERT statistics were released. In that interview, he details some of the recent security enhancements made to the Linux kernel.

Others wonder, though.

"To a large extent, this could be a failure with open source," says Ira Winkler, an independent consultant, president of the Internet Security Advisors Group, and author of Spies Among Us. The primary issue he sees is a lack of consistency in regression testing and other quality-control issues. Because many people may be contributing code in the open-source model, there's no way of being sure exactly how that code has been bulletproofed, or even whether any best-practice testing methodologies have been used across and between contributors.

Is Open Source A Security Problem?

The essential question, Forrester's Goulde says, is whether an open-source model is fundamentally more or less secure, and he sees points to be made on both sides of the debate. In the plus column, he says, is that "everyone can examine the code for vulnerabilities and submit fixes. You can identify and fix a hole much more quickly" because there are so many eyes on it.

On the down side, though, is that because the source code for any given Linux project is so widely circulated, "it's available to every hacker in the world," he says. "You will find arguments on both sides of that, and I have no idea which is true."

Goulde also makes the point that open-source contributors, especially on the highest-profile projects, are people who have proven their chops. Contributors must be accepted into a project, and that acceptance is based on what they've done on past projects, the quality of their work, and other factors. "There's a perception out there that anyone drinking Jolt Cola and eating potato chips in their basement can place code into an open-source project, and that's simply not true," he says, particularly for the major projects run by Apache and other leading open-systems providers.

For their part, many Linux users don't seem all that concerned with security. In the most recent InformationWeek survey about Linux, only 10% of the 354 respondents mentioned security as a challenge that they encountered during deployment. (That survey consisted of 222 sites reporting on servers and 177 sites on PCs. Full survey results will be available Feb. 6.)

"The fact is, you can get lost in the statistics, and I think a lot of people will be surprised by the Linux vulnerability numbers," Winkler says. "But it's impossible to write perfectly secure software that's also functional."

As ever, the burden for securing corporate Linux systems remains with the company using the system. As the the NVD's Mell says, "I even broke into my own database. So everyone's vulnerable."