Hey Linux, Mac and Windows users: It’s ALL vulnerable

Whenever we write about an exploitable flaw in Windows, the Apple and Linux crowds love to kick Microsoft in the shins. Microsoft users are now getting into the game as Macs become a bigger target. We should knock it off, because in the final analysis it’s ALL vulnerable.

I’m thinking about this stuff because of comments I recently got in a post about smartphone flaws. In it, Marc Maiffret, co-founder of eEye and now —  through acquisition — CTO of BeyondTrust, ran attendees of ISSA-LA’s Security Summit IV through the modern-day risks of mobile phone use. He noted how Linux is running beneath the shiny apps and interfaces of just about every smart phone and how, therefore, every vulnerability found in Linux has direct implications for the “computers in our pockets.”

“Whenever you hear about a Linux flaw, you have to think about how your phone is affected,” he said, adding that this is especially important as our phones increasingly become our method of payment and proof of identity.

One reader defended Linux: “Would you happen to be saying that a Linux-based OS is finally reaching the point where WIndows has been at for decades? A monoculture that is easily infected by a single virus? Well, I doubt that will happen; OEMs customize and update each phone slightly different and with having Linux filesystem permissions, it’s more secure by default. If there are going to be problems, they will happen first with the user.”

Another reader wrote: “And if you hear of a Windows flaw, what do you do? Put a bullet in your own head? What am I saying? No one runs Windows Phones. For an Apple flaw, you dish out even more money and are told that this is a feature and you should like it. Then pay some more. When Symark acquired the Windows-based business of BeyondTrust a few years ago, I noticed they did no Linux work. Its nice that they either got in the game or they didn’t get in the game but still get quoted on it.”

I’m used to seeing comments like this when the story deals with a bunch of Windows or Mac flaws. With the latter, Apple fans tend to get very defensive, noting how their machines have never been attacked the way Windows machines have. I’ve given Mac users a good-natured ribbing along the way.

The Linux issues are more surprising to me. It’s not that we haven’t seen Linux-based security risks along the way. We’ve seen plenty. But this was the first I can recall hearing about Linux flaws as a threat to all smartphones.

Linux fans have been pretty protective over the years. I remember a former colleague writing an article about the Linux crowd called “Hell hath no fury like Linux scorned.” I loved that title, partly because I’ve heard so much “dump Windows, switch to Linux” talk from the security community.

Now we have a very respected security researcher fingering Linux as one of the biggest problems with smartphone security.

I’ll be perfectly honest with you: Heated debates over which OS-email suite-browser is more damaged is fun for us journalists. It’s like watching a sporting event. But it sometimes takes us a little too far from the truth, which is that there is no “more secure” anymore. Everything is threatened by vulnerabilities and exploits now.

It’s no longer about finding an OS or browser that will shield you from all harm. It’s about determining how much risk is acceptable to your business, which security tools will help you exist in that equilibrium and how you will respond publicly and behind closed doors when you are eventually attacked.

And you will eventually be attacked — whether your enterprise runs on Windows, Mac OS X, Linux or some new alien technology.