No computer system is safe from security threats. There, I said it. With that out of the way, I'd like to share my concern over a potentially disturbing fact: Linux is gaining popularity on the desktop (and everywhere else for that matter), which is resulting in a loss of market share for the dominant desktop, Microsoft Windows. This fact means that Linux systems might become a target for virus writers who see these trends as well. Or does it? And if it does indeed mean that Linux and open source software will become targets, is that a cause for concern?

Those who would say that Linux systems haven't been targeted by virus writers because they aren't popular are ignoring the obvious. Linux, by way of Apache, Sendmail, BIND, and other related software, has been dominating Internet infrastructure for quite a long time. These systems routinely sit directly on the Internet with only a software firewall protecting them, and sometimes without even that. If virus and worm writers wanted a juicy target, what better target than the computers that run the Internet infrastructure with fat bandwidth and little, if any, extra protection?

Could a possible reason that these systems aren't targeted be that they're better configured? Since the systems are servers on the Internet, it might be safe to assume that they are actively monitored by professional administrators. As any Web administrator will tell you, some of the most frequent (and annoying to an Apache administrator) entries in a Web server logfile are requests for IIS-related exploits. But the most recent survey published by Netcraft shows that the Apache Web server remains dominant at nearly 68% market share and trending upward, while Microsoft IIS is at 21% market share and trending flat, if not slightly downward.

With only 21% market share, why would anyone write a worm that attacks IIS? Why haven't there been more attacks against the open source Apache Web server? Since both IIS and Apache are servers, you might conclude that they should both be configured properly and actively monitored.

It appears there must be another reason why, with the dominant market share, Linux and open source software haven't been targeted more actively by virus writers. What might that reason be?

Might the reason for Windows desktops as well as servers such as IIS being targeted be that they have more security holes? That could be the root cause, but I'm not entirely convinced. Many closed-source proponents are quick to cite sources such as CERT advisories and count raw numbers. Naturally, this ignores the severity of the flaw and the time until a fix is available but, more important, it ignores the fact that there's simply more open source software available. Comparing flaws resulting only from one vendor's software against every open source package available everywhere is an apples-to-oranges comparison on a grand scale.

Does closed source software have more security holes than open source? Since the source code is closed, it's impossible to obtain a definitive answer. Judging by the vehemence with which Microsoft pursued those who leaked or merely posted Windows 2000 source code, you can only assume that it's not just intellectual property that they're trying to protect.

Absent the entire source code being released publicly (without a required nondisclosure), the only method for quantifying the vulnerability of a closed source system is to examine the number of successful attacks against it. Such an analysis reveals that closed source systems such as Microsoft Windows and IIS have more security problems than their open source counterparts. This is true regardless of market share since IIS has only a fraction of the market share that Apache has yet it's the most frequently attacked of the two.

Could the reason for the greater number of successful attacks against Windows be that their security philosophies are just different? The process by which security flaws are disclosed and fixed is almost exactly the opposite between open and closed source software. Open source values transparency, making sure that the end users can protect themselves as soon as possible to mitigate any possible attacks. Closed source vendors don't appear to have the end-users' best interest in mind by delaying disclosure and fixes. Delaying public disclosure of a security vulnerability means that the only people who have the information are the same ones who would use it for their own profit, be it the vendor or the attacker.

Market share alone does not explain why there are fewer exploits against Linux and open source software. If market share were the key factor, the majority of Web server attacks would be made against Apache servers. The next time you hear someone ranting that there are fewer viruses for Linux because the market share isn't the same as Windows, give them the facts. Apache has been and continues to be the dominant Web server on the Internet, yet IIS has been and continues to be the most frequently attacked Web server on the Internet.