Not that long ago hackers were not sophisticated or organized in criminal networks and all operating systems were reasonably secure.
Fast-forward a few years, stealing data has turned into a business, and security is on everyone’s mind. So a good time, then, to investigate if the niche operating system Linux is more secure than the most widely used one, Windows.
How secure is Windows?
77% of computers today run on Windows compared to less than 2% for Linux which would suggest that Windows is relatively secure.
Indeed, recently, Microsoft introduced a massive improvement to its operating system’s codebase. They added their own antivirus software system, improved firewalls and implemented a sandbox architecture, limiting programs from accessing the memory space of the OS or other applications.
Still, Windows is in a tight spot.
As you might expect, the volume of malware developed for an operating system is proportionate to its popularity. Windows has a large market share and because of that, it is a bigger target for scammers. Compared to that, there’s barely any malware in existence for Linux. That’s one reason some consider Linux more secure than Windows.
In addition, many believe that Windows architecture makes it a little easier for users to download malware compared to Linux. On Windows, all you need to do for viruses and spyware to run is to double-click on an “.exe” file.
When we asked Vivaldi devs to verify this statement, they told us that there are some safeguards against that.
By default, current versions of Windows will warn you if you download an “.exe” from the Internet using a technique called “Mark of the Web” (that’s as long as your browser correctly marks it as a download).
There are also various executable signing options to make sure that “.exe” files come from a trusted source.
However, by default, that protection is not set to a high enough level, since unsigned applications can still run. In contrast, freshly downloaded executables are treated as dangerous, and Windows 10 makes you perform actions on warning dialogs before they will run.
This “weakness” of Windows architecture might be why some consider Linux more secure than Windows. And also why Windows users are constantly prompted to download updates to their antivirus application and firewall software. This was indeed the case with the very recent software update to fix an issue flagged by the NSA that could allow attackers to successfully spoof code-signing certificates and use them to sign malicious code or intercept and modify encrypted communications.
Still, not all malware developed for Windows will run on all Windows devices. For example, a virus built for XP may not run on Windows 10. This makes it harder for malware developers who have to keep up with the ever-changing platforms.
Is Linux more secure by design?
Many believe that, by design, Linux is more secure than Windows because of the way it handles user permissions.
The main protection on Linux is that running an “.exe” is much harder. Linux does not process executables without explicit permission as this is not a separate and independent process. You’ll have to chmod +x a file before you can run it.
However, that’s changing. More and more Linux systems simplify things by understanding file extensions (double-click an .html file, and it will open a browser), so users are now relying on the security of every application. That means that an exploit in an image viewer can become a system exploit if you can get the user to double click on a .jpg
An advantage of Linux is that viruses can be more easily removed. On Linux, system-related files are owned by the “root” superuser. If infected, viruses can be easily removed as they can only affect the user account where they were installed, and they do not affect the root account (if the computer has one – Ubuntu does not normally use a root account, most other Linuxes do).
On the downside, Linux has been very slow to fix these “privilege escalation bugs” and there have been some from time to time. Because they can only be used by a local user account, they are not considered as serious as a remote exploit.
However, Vivaldi devs reckon that once the malware is running locally, it can use them to become root and remove all of that permissions protection. Being able to compromise a user account can be just as bad as being able to compromise a root account.
Linux has more things going for it though.
It has a large community of developers reviewing its code and making sure there are no back doors. Some have called Linux the most secure OS simply on the grounds of its large “team” of Linux user-developers around the globe.
The diversity of Linux distributions (as opposed to the relative monoculture on Windows) is another shield for Linux users.
Some of these distributions have been built specifically around security. Edward Snowden, for example, has endorsed Qubes OS saying that if you’re serious about security, Qubes OS is the best operating system available today and that it’s what he uses.
Some Linux distributions have been accused of bad security practices but assuming your chosen distro (Ubuntu, Red Hat, Qubes OS, others) has a good reputation for security, you can use it safe in the knowledge that it has all the necessary security patches applied.
All this is not to say that Linux machines cannot be infected (remember the Heartbleed bug in 2014), it’s just harder to do. That (and the cost probably) is the reason most of the web runs on Linux servers.
Security beyond the operating system
So is Linux more secure than Windows? Asking Vivaldi devs didn’t get us a conclusive answer.
Indeed, as no operating system is bulletproof, the only reasonable answer is to get educated about the security threats you face.
Deploying a secure operating system is an important step but lack of knowledge can expose you to far greater risks.
Here are a few things to think about:
- Networking. Having a firewall is extremely important on both Windows and Linux. Make sure you know how that side of things works on your machine.
- Phishing. This threat is the hardest to prevent as anyone can be tricked into disclosing a username, password, or other sensitive stuff. Beware that “social engineering” is the preferred method for a huge chunk of scammers. By sending emails posing as PayPal or Netflix, they will try to steal your passwords and, consequently, credit card information.
- Choice of browser. Your choice of OS won’t protect you from phishing attacks but your browser might. Many browsers check for known malicious websites or websites that offer malware for download. For example, Vivaldi will ask you explicitly if you want to run an executable file.
- Malware. When shopping around for software, you can be tricked into downloading and running suspicious software, extensions, or plug-ins that open the door to malware. Before installing anything on your machine, look up reviews, check if the software is used by a respectable number of people, as well as install it in a sandbox.