With the discovery of a zero-day vulnerability in the Linux operating system kernel that could impact all devices including two-thirds of all Android phones, and yet more trouble in the form of Linux.Ekoms.1 malware that captures screenshots every 30 seconds, maybe it's time to ask just how secure is Linux?
The zero-day CVE-2016-0728 was particularly nasty, involving as it does the keyring facility which Linux uses to retain encryption information in the kernel. Discovered by researchers at Israeli security outfit Perception Point this could enable an attacker to gain root and execute arbitrary code on most any impacted device.
And there are plenty that could be impacted when you consider that Linux kernel is the power behind millions of servers and millions of Android smartphones. Worse yet, it has been around since 2012 when it appeared in version 3.8 of the Linux kernel.
No attacks have been seen in the wild, and the flaw has been patched – although that may be of little help to the millions of users of older Android devices with precious little chance of any updates ever hitting their devices.
Throw in the discovery of that screenshot-capturing malware – hardly a new technique but the fact is that it's out there grabbing pictures of login data – and you have a timely reminder that Linux users are not immune to attack.
Indeed, it would be apposite at this point to ask why the myth of Linux being somehow untouched by insecurity issues has managed to survive for so long in the minds of so many?
Josh Bressers, a security strategist at Linux vendor Red Hat, isn't so sure that this was ever actually a myth so much as a gap between the perception and reality of security. "The people who have been involved with security have always known and treated Linux with an appropriate level of security," Bressers told SCMagazineUK.com, insisting that "the key to dealing with security flaws is to have the ability to move quickly, not to make claims about a mythical level of security".
From the end user perspective, however, things have historically been rather different, according to Chris Boyd, a malware intelligence analyst at Malwarebytes. "For many people, finding their feet with Linux is an uphill struggle," he told us. "Feeding the myth that anything is bulletproof tends to result in a lack of care on the part of the device owner, and often leaves them more susceptible to other scams such as social engineering, if not malware itself."
Of course, insecurity is relative and when compared to closed source software there are those who would argue that Linux is inherently more secure courtesy of more eyes on the code base. Michael Kemp, co-founder of Xiphos Research, is one of them. "This can also be a bad thing," Kemp admits, "as maliciously motivated attackers can analyse source code for vulnerabilities, and in doing so create attack vectors that are then targeted."
Kemp continues: "The common misconception is that because Linux has got less market penetration than MS on the desktop front then all is well. The other troubling misconception is that installation of software packages happens via trusted repositories when in many cases this may not be the case."
That said, Kemp is insistent that, by design, Linux is far more granular and open than closed OSs which means that users can review code before installation and can also establish what that code is doing without necessitating reversing. "Given the percentile rates of infection in relation to Linux," Kemp concludes, "the misconception of security still presently stands, and isolated incidences do not indicate a major trend pattern."
However, Chris Boyd reminds us, "Linux malware may not be as common as it is on the Windows platform, but it only takes one successful attack or lapse in judgement to compromise a PC." One wonders if a fresh Linux user assumes everything is secure now and doesn't bother to keep up with security basics such as patching, removing unwanted programs, and even good password management.
In terms of malware files alone, Linux ransomware is starting to make an appearance. "This, as with Windows, can cause havoc if a proper backup system hasn't been put in place," Boyd told SC, adding: "We would always advise a layered security setup regardless of operating system. The options aren't quite as varied as they are on Windows, but the selection is growing."
So what are the major security threats facing Linux users? Red Hat's Bresser focuses on untrusted content. "With the explosion of new technologies such as cloud and containers it has made us rethink the way we operate our infrastructure," he said, adding: "At the same time it has left a lot of good security practices behind."
Operating containers and cloud images don't give us any security magic – good security is timeless. We have to continue to understand what our content is, where is comes from, what the security state of the content is and, most importantly, how can I ensure I have proper support for the content such as security updates?
Robert Hansen, VP of WhiteHat Labs, when pushed to choose a single threat involved with Linux, said, "It relies on lots of external do-gooders and lacks any centralised auditable control."
If you thought that was hard-hitting, Hansen insists, "Not that those virtues save companies like RSA/EMC, Fortinet and Juniper – who have all been found recently to be intentionally or unintentionally weakening their security."
He did admit that it's "helpful for companies to have a single throat to choke" when it comes to ensuring and enforcing auditing and regular updates through contracts, though.
Jonathan Sander, a strategist at Lieberman Software, is a little less controversial and points out that the greatest threat to Linux security is the same as the greatest threat to every platform's security: users. "It's going to be a human that clicks the wrong thing and lets a piece of malware get a foothold on the Linux system and run these fancy new exploits," Sander says, concluding: "Aside from the most high value targets, the greatest threats to Linux in general are the bad clicks of users."
Does that mean that Linux users should be using an AV solution on their machines? "There's no question that AV, malware protection, firewalls and other preventative measures have value on every platform," Sander insists. "However, each new zero-day means they are obsolete until updated, on Linux and everywhere else."
The only real solution, for Linux as every other platform, is getting humans to behave better. Until that happens, of course, Linux will remain as insecure as ever…