The truth about viruses

Once every couple months or so, I find myself explaining to someone that the flood of viruses everyone has come to expect is not an unavoidable side effect of an increasingly networked world. Usually this comes up in response to the all-too-common security through obscurity argument that Linux systems would suffer the same frequency of virus problems as Microsoft Windows if they were as popular as Windows is now. Such a comment ignores several factors that make up the vulnerability profile of Windows with regard to viruses.

The most obvious, for those who recognized the term "security through obscurity" that I used above, is that Linux-based systems and other open source OSes (such as FreeBSD and OpenSolaris) actually benefit greatly from the security through visibility approach taken by popular open source software projects. There's another factor that's much more important to virus vulnerability in particular, however, that even most open source software advocates don't consider. It's really quite simple.

Microsoft doesn't fix virus vulnerabilities.

A virus is malicious code carried from one computer to another by some kind of medium -- often an "infected" file. Once on a computer, it's executed when that file is "opened" in some meaningful way by software on that system. When it executes, it does something unwanted. This often involves, among other things, causing software on the host system to send more copies of infected files to other computers over the network, infecting more files, and so on. In other words, a virus typically maximizes its likelihood of being passed on, making itself contagious.

All of this relies on security vulnerabilities that exist in software running on the host system. For example, some of the most common viruses of the last decade or so have taken advantage of security vulnerabilities in Microsoft Office macro capabilities. Infected files that were opened in a text editor such as Notepad would not then execute their virus payload, but when opened in Office with its macro execution capabilities would tend to infect other files and perhaps even send copies of themselves to other computers via Outlook. Something as simple as opening a macro virus infected file in Wordpad instead of Microsoft Word or translating .doc format files into .rtf files so that macros are disabled was a common protective measure in many offices for a while.

Macro viruses are just the tip of the iceberg, however, and are no longer among the most common virus types. Many viruses take advantage of Trident, the rendering engine behind Internet Explorer and Windows Explorer that's also used by almost every piece of Microsoft software available to one degree or another, for instance. Windows viruses often take advantage of image-rendering libraries, SQL Server's underlying database engine, and other components of a complete Windows operating system environment as well.

Viruses in the Windows world are typically addressed by antivirus software vendors. These vendors produce virus definitions used by their antivirus software to recognize viruses on the system. Once a specific virus is identified, the software attempts to quarantine or remove the virus -- or at least inform the user of the infection so that some kind of response may be made to protect the system from the virus.

This method of protection relies on knowledge of the existence of a virus, however, which means that most of the time a virus against which you are protected has, by definition, already infected someone else's computer and done its damage. The question you should be asking yourself at this point is how long it will be until you are the lucky soul who gets to be the discoverer of a new virus by way of getting infected by it.

It's worse than that, though. Each virus exploits a vulnerability -- but they don't all have to exploit different vulnerabilities. In fact, it's common for hundreds or even thousands of viruses to be circulating "in the wild" that, between them, only exploit a handful of vulnerabilities. This is because the vulnerabilities exist in the software and are not addressed by virus definitions produced by antivirus software vendors.

These antivirus software vendors' definitions match the signature of a given virus -- and if they're really well-designed might even match similar, but slightly altered, variations on the virus design. Sufficiently modified viruses that exploit the same vulnerability are safe from recognition through the use of virus definitions, however. You can have a photo of a known bank robber on the cork bulletin board at the bank so your tellers will be able to recognize him if he comes in -- but that won't change the fact that if his modus operandi is effective, others can use the same tactics to steal a lot of money.

By the same principle, another virus can exploit the same vulnerability without being recognized by a virus definition, as long as the vulnerability itself isn't addressed by the vendor of the vulnerable software. This is a key difference between open source operating system projects and Microsoft Windows: Microsoft leaves dealing with viruses to the antivirus software vendors, but open source operating system projects generally fix such vulnerabilities immediately when they're discovered.

Thus, the main reason you don't tend to need antivirus software on an open source system, unless running a mail server or other software that relays potentially virus-laden files between other systems, isn't that nobody's targeting your open source OS; it's that any time someone targets it, chances are good that the vulnerability the virus attempts to exploit has been closed up -- even if it's a brand-new virus that nobody has ever seen before. Any half-baked script-kiddie has the potential to produce a new virus that will slip past antivirus software vendor virus definitions, but in the open source software world one tends to need to discover a whole new vulnerability to exploit before the "good guys" discover and patch it.

Viruses need not simply be a "fact of life" for anyone using a computer. Antivirus software is basically just a dirty hack used to fill a gap in your system's defenses left by the negligence of software vendors who are unwilling to invest the resources to correct certain classes of security vulnerabilities.

The truth about viruses is simple, but it's not pleasant. The truth is that you're being taken to the cleaners -- and until enough software users realize this, and do something about it, the software vendors will continue to leave you in this vulnerable state where additional money must be paid regularly to achieve what protection you can get from a dirty hack that simply isn't as effective as solving the problem at the source would be.