Why Linux is better than Windows or macOS for security

Decisions made years ago about which operating system to roll out can affect corporate security today. Of the big three in widespread use, one can credibly be called the most secure.

• 
• 
• 
• 
• 
• 

Enterprises invest a lot of time, effort and money in keeping their systems secure. The most security-conscious might have a security operations center. They of course use firewalls and antivirus tools. They probably spend a lot of time monitoring their networks, looking for telltale anomalies that could indicate a breach. What with IDS, SIEM and NGFWs, they deploy a veritable alphabet of defenses.

But how many have given much thought to one of the cornerstones of their digital operations: the operating systems deployed on the workforce’s PCs? Was security even a factor when the desktop OS was selected?

This raises a question that every IT person should be able to answer: Which operating system is the most secure for general deployment?

We asked some experts what they think of the security of these three choices: Windows, the ever-more-complex platform that’s easily the most popular desktop system; macOS X, the FreeBSD Unix-based operating system that powers Apple Macintosh systems; and Linux, by which we mean all the various Linux distributions and related Unix-based systems.

How we got here

One reason enterprises might not have evaluated the security of the OS they deployed to the workforce is that they made the choice years ago. Go back far enough and all operating systems were reasonably safe, because the business of hacking into them and stealing data or installing malware was in its infancy. And once an OS choice is made, it’s hard to consider a change. Few IT organizations would want the headache of moving a globally dispersed workforce to an entirely new OS. Heck, they get enough pushback when they move users to a new version of their OS of choice.

Still, would it be wise to reconsider? Are the three leading desktop OSes different enough in their approach to security to make a change worthwhile?

Certainly the threats confronting enterprise systems have changed in the last few years. Attacks have become far more sophisticated. The lone teen hacker that once dominated the public imagination has been supplanted by well-organized networks of criminals and shadowy, government-funded organizations with vast computing resources.

Like many of you, I have firsthand experience of the threats that are out there: I have been infected by malware and viruses on numerous Windows computers, and I even had macro viruses that infected files on my Mac. More recently, a widespread automated hack circumvented the security on my website and infected it with malware. The effects of such malware were always initially subtle, something you wouldn’t even notice, until the malware ended up so deeply embedded in the system that performance started to suffer noticeably. One striking thing about the infestations was that I was never specifically targeted by the miscreants; nowadays, it’s as easy to attack 100,000 computers with a botnet as it is to attack a dozen.

Does the OS really matter?

The OS you deploy to your users does make a difference for your security stance, but it isn’t a sure safeguard. For one thing, a breach these days is more likely to come about because an attacker probed your users, not your systems. A survey of hackers who attended a recent DEFCON conference revealed that “84 percent use social engineering as part of their attack strategy.” Deploying a secure operating system is an important starting point, but without user education, strong firewalls and constant vigilance, even the most secure networks can be invaded. And of course there’s always the risk of user-downloaded software, extensions, utilities, plug-ins and other software that appears benign but becomes a path for malware to appear on the system.

And no matter which platform you choose, one of the best ways to keep your system secure is to ensure that you apply software updates promptly. Once a patch is in the wild, after all, the hackers can reverse engineer it and find a new exploit they can use in their next wave of attacks.

And don’t forget the basics. Don’t use root, and don’t grant guest access to even older servers on the network. Teach your users how to pick really good passwords and arm them with tools such as 1Password that make it easier for them to have different passwords on every account and website they use.

Because the bottom line is that every decision you make regarding your systems will affect your security, even the operating system your users do their work on.

Windows, the popular choice

If you’re a security manager, it is extremely likely that the questions raised by this article could be rephrased like so: Would we be more secure if we moved away from Microsoft Windows? To say that Windows dominates the enterprise market is to understate the case. NetMarketShare estimates that a staggering 88% of all computers on the internet are running a version of Windows.

If your systems fall within that 88%, you’re probably aware that Microsoft has continued to beef up security in the Windows system. Among its improvements have been rewriting and re-rewriting its operating system codebase, adding its own antivirus software system, improving firewalls and implementing a sandbox architecture, where programs can’t access the memory space of the OS or other applications.

But the popularity of Windows is a problem in itself. The security of an operating system can depend to a large degree on the size of its installed base. For malware authors, Windows provides a massive playing field. Concentrating on it gives them the most bang for their efforts.
As Troy Wilkinson, CEO of Axiom Cyber Solutions, explains, “Windows always comes in last in the security world for a number of reasons, mainly because of the adoption rate of consumers. With a large number of Windows-based personal computers on the market, hackers historically have targeted these systems the most.”

It’s certainly true that, from Melissa to WannaCry and beyond, much of the malware the world has seen has been aimed at Windows systems.

macOS X and security through obscurity

If the most popular OS is always going to be the biggest target, then can using a less popular option ensure security? That idea is a new take on the old — and entirely discredited — concept of “security through obscurity,” which held that keeping the inner workings of software proprietary and therefore secret was the best way to defend against attacks.

Wilkinson flatly states that macOS X “is more secure than Windows,” but he hastens to add that “macOS used to be considered a fully secure operating system with little chance of security flaws, but in recent years we have seen hackers crafting additional exploits against macOS.”

In other words, the attackers are branching out and not ignoring the Mac universe.

Security researcher Lee Muson of Comparitech says that “macOS is likely to be the pick of the bunch” when it comes to choosing a more secure OS, but he cautions that it is not impenetrable, as once thought. Its advantage is that “it still benefits from a touch of security through obscurity versus the still much larger target presented by Microsoft’s offering.”

Joe Moore of Wolf Solutions gives Apple a bit more credit, saying that “off the shelf, macOS X has a great track record when it comes to security, in part because it isn’t as widely targeted as Windows and in part because Apple does a pretty good job of staying on top of security issues.”

And the winner is …

You probably knew this from the beginning: The clear consensus among experts is that Linux is the most secure operating system. But while it’s the OS of choice for servers, enterprises deploying it on the desktop are few and far between.

And if you did decide that Linux was the way to go, you would still have to decide which distribution of the Linux system to choose, and things get a bit more complicated there. Users are going to want a UI that seems familiar, and you are going to want the most secure OS.

As Moore explains, “Linux has the potential to be the most secure, but requires the user be something of a power user.” So, not for everyone.

Linux distros that target security as a primary feature include Parrot Linux, a Debian-based distro that Moore says provides numerous security-related tools right out of the box.

Of course, an important differentiator is that Linux is open source. The fact that coders can read and comment upon each other’s work might seem like a security nightmare, but it actually turns out to be an important reason why Linux is so secure, says Igor Bidenko, CISO of Simplex Solutions. “Linux is the most secure OS, as its source is open. Anyone can review it and make sure there are no bugs or back doors.”

Wilkinson elaborates that “Linux and Unix-based operating systems have less exploitable security flaws known to the information security world. Linux code is reviewed by the tech community, which lends itself to security: By having that much oversight, there are fewer vulnerabilities, bugs and threats.”

That’s a subtle and perhaps counterintuitive explanation, but by having dozens — or sometimes hundreds — of people read through every line of code in the operating system, the code is actually more robust and the chance of flaws slipping into the wild is diminished. That had a lot to do with why PC World came right out and said Linux is more secure. As Katherine Noyes explains, “Microsoft may tout its large team of paid developers, but it’s unlikely that team can compare with a global base of Linux user-developers around the globe. Security can only benefit through all those extra eyeballs.”

Another factor cited by PC World is Linux’s better user privileges model: Windows users “are generally given administrator access by default, which means they pretty much have access to everything on the system,” according to Noyes’ article. Linux, in contrast, greatly restricts “root.”

Noyes also noted that the diversity possible within Linux environments is a better hedge against attacks than the typical Windows monoculture: There are simply a lot of different distributions of Linux available. And some of them are differentiated in ways that specifically address security concerns. Security Researcher Lee Muson of Comparitech offers this suggestion for a Linux distro: “The Qubes OS is as good a starting point with Linux as you can find right now, with an endorsement from Edward Snowden massively overshadowing its own extremely humble claims.” Other security experts point to specialized secure Linux distributions such as Tails Linux, designed to run securely and anonymously directly from a USB flash drive or similar external device.

Building security momentum

Inertia is a powerful force. Although there is clear consensus that Linux is the safest choice for the desktop, there has been no stampede to dump Windows and Mac machines in favor of it. Nonetheless, a small but significant increase in Linux adoption would probably result in safer computing for everyone, because in market share loss is one sure way to get Microsoft’s and Apple’s attention. In other words, if enough users switch to Linux on the desktop, Windows and Mac PCs are very likely to become more secure platforms.

Linux vs Windows Security

Linux Security vs Windows

Like Apple users, Linux supporters now have to increase the security of their computers, as various attacks from the past year show. The security company Panda Security warns Linux users urgently to weigh themselves in deceptive security.

Until now, open operating systems, such as open Linux distributions, were actually considered a good choice for companies. In contrast to Windows, the installation of Linux systems is usually free of charge. Another advantage has been their security. While thousands of new viruses and Trojans are attacking Windows systems every day, Linux was hardly interesting for cybercriminals in the past. On the one hand there are simply too few Linux installations to make the big money with malware. On the other hand, Linux has the advantage that there is not just one Linux system: A bug that can attack Linux Mint does not work automatically under Ubuntu or Debian. However, despite its strengths, Linux is not immune, the security company warns.

One of the malware threats is Turla, a malicious software that is also known as Epic Snake or Uroburos. It has infected Windows computers around the world for years. Recently, a version of this Trojan was discovered that is attacking Linux. Turla uses a backdoor to grant cybercriminals access to the computer without relying on root privileges. As a result, the restrictions imposed by the operating system on normal users (without root privileges) are circumvented. Because the malware is used mainly for the purposes of economic espionage or surveillance, it attacks companies.
Another security issue in Linux systems is shellshock. When a Linux device connects to an unsecured WiFi network, this security leak allows a trojan to easily enter the device. However, this leak has since been closed by already published patches.

Not only security gaps and malware are causing Linux users worries, reports Panda Security. So it is sometimes difficult to get security patches provided by the developers. While access to modifications to search engines and other important programs is guaranteed, this does not necessarily apply to other components. An example of this is Owncloud, an application for online saving of files in open format (an alternative to fileboxing service is Dropbox). When Owncloud was installed under the popular Linux distribution Ubuntu, it did not perform any security updates. The developer had stopped working on the tool. The security company therefore advises Linux users to supplement the basic protection measures with good anti-virus solutions from IT security specialists.

Linux and Windows security compared

The challenge in evaluating Windows and Linux on any criteria is that there is not a single version of each operating system. Windows 98, Windows NT, Windows 2000, Windows 2003 Server, and Windows CE are just a subset of Microsoft’s offerings. Linux distributions vary by the Linux kernel release each is based on (e.g., 2.2, 2.4, and 2.6) and the versions of all the packages each contains. This study evaluates operating system security according to the current technology available in the market rather than legacy solutions.

Users need to keep in mind that there are philosophical differences in the design of Linux and Windows. The Windows operating system is designed to support applications by moving more functionality into the operating system, and by more deeply integrating applications into the Windows kernel. Linux differs from Windows in providing a clear separation between kernel space and user space. This matters because the ability to make either operating system more secure varies depending on architectural design.

Fundamental changes in Linux and Windows security

For users, the evolution of Linux and Windows has all the trappings of a muscle car drag race. Users may have their favorite but at the same time continue to assess the competition. Microsoft has shown a great willingness — no doubt spurred on by industry cynicism and the growing adoption of Linux — to dedicate massive resources to Windows security. Microsoft will make advances in Windows security within the next few months when it releases Service Pack 2 for Windows XP. This service pack enhances Windows security by turning off some services by default and will also provide new patch management tools. For example, the Alterer and Messenger service has been turned off to reduce the amount of spam received. In many cases, turning off features is good since it makes a system more secure. However, the challenge is to enable to security without a tradeoff in key functionality or flexibility.

What is most outstanding is Microsoft’s focus on enhancing security through improved usability. For example, a number of Microsoft security exploits in 2003 were the result of an email attachment launching as an executable (e.g., MyDoom). Service Pack 2 features an attachment execution service that will have a central place for attachments to be accessed by Outlook/Exchange, Windows Messenger, and Internet Explorer. This will reduce the risk of an end user enabling a virus or worm by launching an executable. Also, disabling execution of data pages will limit the potential for buffer-overflow exploits. Still, rather than actually fixing Windows’ broken infrastructure and secure communications, Microsoft leaves the burden on the user.

Microsoft’s focus is clearly on shoring up application security. There are a number of Service Pack 2 enhancements that specifically target Outlook/Exchange and Internet Explorer. For instance, there will be an intelligent MIME-type review in Internet Explorer that will check the content type of an object and let the user know if is a potentially harmful executable. This raises the question of whether the software will be able to distinguish a virus from a colleague’s spreadsheet extension.

Another new feature in Service Pack 2 is the ability to uninstall additions to a browser, which potentially places more responsibility on the end user who may have to look at many plug-ins and uninstall the right ones. Outlook/Exchange will have the ability to preview email messages, so a user can delete a message without actually opening it. A further application security enhancement is a firewall that starts prior to the network stack. For software developers, the changes to remote procedure call permissions will make it a harder to write code that is not secure.

Service Pack 2 will offer many flashy new features for Windows users, but the question remains: Will these features burden system administrators, and possibility end users, with more complexity, rather than addressing the security of Windows operating system code?

Open source, shared source

A purely philosophical difference between Linux and Windows is the approach to code transparency. Linux is licensed under the GNU General Public License, which means it is possible for users to copy, modify, and redistribute the source code. Windows is a closed source operating, which is why its security methodology is often characterized as “security through obscurity.” In 2001, Microsoft responded to the demands of its customers and critics with the Shared Source Initiative, which provides access to Windows source code. Today, the Shared Source Initiative has one million participants, and source code is available for Windows 2000, Windows XP, Windows Server 2003, Windows CE 3.0, Windows CE .Net, and the C#/CLI implementations, as well as components of ASP .Net and Visual Studio .Net. Shared Source Initiative licensees include corporate customers, governments, partners, academics, and individuals.

To a large degree Microsoft’s Shared Source Initiative is a policy of “look but don’t touch.” The rare exception is the Windows CE Shared Source Premium Licensing Program available to companies, which brings Windows CE-based devices and solutions to market. This is the only Windows program under the Shared Source Initiative that provides original equipment manufacturers (OEMs), silicon vendors, and systems integrators full access to Windows CE source code. All licensees have complete access to the source code and the right to modify the code; however, only OEMs can commercially distribute those modifications in Windows CE-based devices. All other shared source licensees have to make a trip to Microsoft in Redmond, Wash., to access source code that is not available through the program.

Although some users may find the Shared Source Initiative useful for debugging applications, the requirement to be physically at Microsoft headquarters to do a build is a significant limitation. Despite Microsoft’s efforts to add more transparency, this inability to do a build makes it difficult, if not impossible, to know whether the code will work when implemented in an actual IT environment.

The restrictions against modifying and recompiling Windows source code reduce the incentive for people with access to the Windows Shared Source to look for security vulnerabilities.

Linux security benefits in the data center and on the desktop

During the next 12 months, Linux will strengthen its hold in the data center and make significant inroads on Microsoft’s desktop monopoly. To a large degree this will be the result of new features and functionality in the 2.6 version of the Linux kernel. With Linux v2.6, the security architecture is now modularized. Under this model, all aspects of the Linux kernel are designed for fine-grained user access instead of the prior scheme of providing total control to the superuser. The implication is that while Linux systems will still support root, which gives a user total access to a system, it will be possible to create Linux systems that do not follow this model.

Related to the differences in design of Windows and Linux is the process and complexity of patch management. The number of patches and time required to test and deploy them can increase operational costs. Other factors can impact the ease or difficulty of patching a system, include determining if a patch is backward-compatible and can be implemented without breaking an application.

The magnitude of patching a Windows system is complicated by the tight integration of a Windows application runtime environment and operating system. In contrast, under Linux the application runtime environment is a user space process and is not part of the operating system. The tight integration of a Windows operating system increases the number of potential security exposures; in effect, this means a Windows server patch is not a feature but often a requirement. To meet that requirement, and adding to the complexity of the solution, is the variety of Microsoft partners and independent software vendors who provide patch management, and the need to evaluate which package works best for a given organization. The number of Windows patches will continue to grow because of the non-trivial nature of exploits like Blaster, Code Red, Sasser, and others. For years, Microsoft security has been the equivalent of using a lawnmower to trim a hedge–if you were careful, you wouldn’t lose any limbs.

Patch management under Linux is often easier because of the separation of kernel and user space, which reduces the number of potential significant security exploits. Although every Linux distribution comes with patch management tools, system vendors and independent software vendors are also releasing third-party tools. BMC, HP OpenView, IBM Tivoli, and Aduva all offer tools to distribute and deploy patches.

Patch management on a Linux system provides more transparency than a similar process under Windows. Linux distributions provide all changes, which are applied to every package. Since Linux is open source, unlike Windows, there is unrestricted access to the history of all of the source code. Also, with Linux there is often more flexibility to use either a GUI or the command-line to patch a system. For example, Ximian Red Carpet’s automated dependency and conflict resolution provides both a Web interface and command-line capabilities. Red Hat’s system update tool, called up2date, and works with Red Hat Network to enable users to download and install new packages. SUSE uses a process called AutoBuild to enable quality assured patches and bug fixes.

Fundamental changes in the security capabilities of Windows and Linux are vital since they are positioned as the top two operating systems, based on new server shipments. However, advances in operating system security are only as good as the users who take advantage of them. How secure an IT infrastructure is will vary not only based on the Linux distribution and Microsoft product and service pack deployed, but also by what patches customers choose to implement.

Another major change with Linux v2.6 is the addition of Linux Security Modules (LSM), which allows users to add additional security mechanisms to a Linux distribution without needing to patch the kernel. A variety of access control mechanisms have been built on top of LSM, including the United States’ National Security Agency’s (NSA) Security Enhanced Linux (SELinux). SELinux grew out of the NSA’s interest in operating system security and the value of mandatory access controls. The NSA researchers worked on Linux security modules to support type enforcement, role-based access controls, and multi-level security in the v2.6 kernel. SELinux, using a security scheme known as Domain Type Enforcement, can limit the impact of compromised applications or network services by separating applications from each other and from the base operating system.

SELinux’s fine-grained Boolean labeling support has been added to the Linux kernel v2.6. Other vendors have taken advantage of the NSA’s work as well. For example, Immunix offers a set of products, including StackGuard, and sub-domain LSM modules to configure a process to a specific system call. Red Hat has announced that SELinux will play a major part in the security architecture in Red Hat Enterprise Server 4.0.

Today, Linux has a powerful, flexible mandatory access control architecture built into the major subsystems of the kernel. The system mandates the separation of data based on confidentiality and integrity requirements, so any potential damage, even by a superuser process, is confined on a Linux system.

Linux v2.6 also provides support for cryptographic security, with the addition of a cryptographic API used by IPSec. This enables multiple algorithms (e.g., SHA-1, DES, Triple DES, MD4, HMAC, EDE, and Blowfish) to be used for network and storage encryption. Linux’s ability to support IPSec protocols for IPv4 and IPv6 is a significant advance. With security abstracted to the protocol level, applications are less vulnerable to a potential exploit. Cryptographically signed modules are not yet a part of Linux, but if the issues about implementing such a feature can be resolved it will prove useful in preventing unsigned modules from being accessed by the kernel.

One of the issues that continues to plague Windows users is buffer overflow. Linux users will appreciate the ability to use the exec-shield patch, which is available with the Linux 2.6 kernel. Exec-shield enables protection against a variety of exploits that attempt to overwrite data structures or insert code within these structures. Since a recompile is not required for the exec-shield patch to work, this makes it easier to implement. Also, the addition of a preemptive kernel, also in v2.6, reduces latency, which is likely to drive the use of Linux not only in the data center, but also for applications that require a deterministic kernel with soft real-time capabilities.

Many Linux users depend on non-open source drivers and other binary modules from hardware manufacturers and systems providers. The problem is that although adding these drivers and modules is often useful, it is not necessarily beneficial to the operation of a Linux system. For example, a non-open source driver or binary module can overwhelm a system call and change the system call table. The Linux v2.6 kernel provides protection against these dangers by placing restrictions on the level of access a non-open source driver or module has to the kernel. This feature promotes stability, but does not place any new restrictions from a security point of view to stop a determined hacker from writing a malicious module.

Perhaps one of the most innovative developments for Linux users is User-mode Linux (UML), which is a patch for the Linux kernel that allows an executable binary to be compiled and executed on a host Linux machine. There are a number of advantages to UML, but the more compelling attribute is the ability to use it as a virtual machine. Since processes within UML are not allowed access to the host system, it can be used as a sandbox to test software, run unstable distributions, and examine activities that could otherwise pose a risk. UML will eventually lead to a fully virtualized environment for security infrastructure.

Next: Key findings: Linux vs. Windows security capabilities

Key findings: Linux vs. Windows security capabilities

A qualitative assessment of operating system security is subjective and your “mileage may vary” based on present and past experience. My goal here is to provide a framework for users to increase their understanding of Windows and Linux security capabilities. The following analysis is by no means comprehensive and is intended as a starting point for end-user evaluation. As the technical innovation of Linux and Windows continues, so will the discourse on which is more secure. The overall finding of this analysis is that Linux provides more secure capabilities than Windows.

Table 1: Key Linux and Windows Operating System
Security Capabilities

Patch management