Home / ubuntu / Questions / 124658
Accepted
bebojoor
Asked: 2012-04-24 21:47:16 +0800 CST

Is open source software vulnerable to viruses?

  • 772

I understand the ideas behind open source software, but I am more interested in the security aspects. How is open source software not exposed to viruses or any kind of Internet attack? How does it stay secure over time? I have heard that open source software is prone to attacks, but the chances are less than Windows-based software. I am unclear about this.

And why do some Linux users not use an antivirus?

security open-source

5 Answers

  1. It's not that they couldn't exist. It's that by and large they don't.

    The security model being a little more complicated on most open source systems and the peer review of code by other developers both lead to this.

    Here's an example:
    For closed source applications -
    You're developing an application, and you use some windows library. It crashes when you pass it an incorrect parameter. You tweak your application to pass the parameter properly so it works and move on.

    Same scenario for open source applications -
    You're developing an application, and you use some linux library. It crashes when you pass an incorrect parameter. If you think the way you passed it is sane, you see why it crashed and submit a bug-report to the library package with a patch to make it work as anticipated. If you think the way you passed it was wrong, you see why it crashed and submit a bug-report to the library package with a patch to make sanitize that input.

    See the difference in the outcome on the two scenarios?

    And why not an antivirus?
    The best answers I can come up with on why not antivirus are this, this, and this. Anti-virus has a place, but it's not a solution.

    • 7

  2. Firstly, I'd like to clarify that not all FOSS software are Virus Proof

    The amount of viruses and bugs in a program depends on the developer and the community

    But, FOSS software have a better resistance to viruses in the following way

    Let me give you an example

    Closed source:

    • X closed source software has Y company maintaining it

    • X software gets a virus/bug

    • Y company now has to have its employees to look into the issue because the community does not have the source code, which usually takes some time

    • Bugfix by Y company

    Open Source

    • X open source software has Z community maitaining it, alongwith Y Developer/Company

    • X software gets a virus/bug

    • Y company/developer tries to work it out alongwith Z community

    • Bugs get fixed faster

    So, the security of FOSS software depends on the strength and willingness of the community to help in development and maintaining

    • 4

  3. In addition to what everyone else has said, what it comes down to is this:

    Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix will be obvious to someone.

    In plain English:

    given enough eyeballs, all bugs are shallow

    Via wikipedia

    As such, since all security issues are bugs, this applies.

    In addition, antivirus is a last-minute defense: If the virus/security flaw got to your system, something else is dangerously wrong. With open source, you have more flexibility with finding out who, what, where, when, why and how it got to that point.

    • 4
  4. Best Answer

    Open source is not inherently safer. It might be a little bit, due to the following reasons:

    • Potentially more people look at the code, so bugs allowing for security vulnerabilities are more easily spotted. (Also, it's not true that open source means attackers can just slip in hacks, as some people might be led to think - code is still checked before included in any project. Unless of course the project itself is malicious.)
    • An openly governed project creates an ethos of contributing back, e.g. when a security flaw is found, this is reported (and subsequently fixed), rather than exploited).
    • The creators of an open source project often have no incentive to deny that vulnerabilities exist until a fix is found -- the more people know about it, the more likely it is someone will know how to fix this.

    This will only marginally make it safer, though, since bugs will still exist and people will be using their powers for Bad rather than Good.

    When it comes to Ubuntu and all other Linux distributions, though, fact is that it has been designed from the ground up from a multi-user perspective, with one user being able to make modifications to the system and the rest only being allowed to change what's relevant to them - in Windows this was rather tacked on later on (though probably works pretty well by now (Windows 7)).

    Still, one could easily write a virus that removes all of a user's personal files. The biggest reason for there being no virus for Ubuntu, is simply that it has a really, really small market share. Thus, there is little to gain and little incentive for a hacker to go through the extra trouble of supporting Ubuntu when they could just target Windows and gain a lot. That, and users of Linux are often more well-versed technically, so would be less likely to install something of which they do not know what it does (though then again, the absence of viruses may lead them to trust everything they download).

    (Then again, Ubuntu's update model, among others, is much better than Windows's, meaning that fixed for vulnerabilities can be distributed far quicker.)

    • 3

  5. If you are asking about the code being hijacked or malicious executables being added, the only method to remain truly safe(in paranoia) is to manually check the source code and compile it yourself in case the downloadable version has other malicious code.

    • 1