Don’t believe these four myths about Linux security

Linux security mythsWe are well into the 21st century, but it is astonishing how people can still believe that Linux-based operating systems are completely secure. Indeed, “Linux” and “security” are two words that you rarely see together.

Just as some people believe Macs are immune to viruses, some Linux users have the same misconception – and who can blame them? After all, vendors have been telling them that for years.

In 2012, after an exponential rise of OS X malware (such as MacDefender and Flashback), Apple decided to change its homepage by removing sentences like “It doesn’t get PC viruses.”


It doesn’t get PC viruses.
A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers. That’s thanks to built-in defenses in Mac OS X that keep you safe, without any work on your part. 

Only recently, Red Hat also decided to (finally) remove the label “virus-free” from the feature overview of Fedora Linux.


Virus- and Spyware-Free
No more antivirus and spyware hassles. Fedora is Linux-based and secure.

Linux users are not OS X users, although when it comes to security many of them have the same misconception that the latter had a few years ago.

So, let’s destroy four common urban legends about Linux security.

1 Linux is invulnerable and virus-free.
“Linux is virus-free.” What does it even mean? Even if there were no malware for Linux – and that’s not the case (see for example Linux/Rst-B or Troj/SrvInjRk-A) – does this mean it is safe? Unfortunately, no.

Nowadays, the number of threats goes way beyond getting a malware infection. Just think about receiving a phishing email or ending up on a phishing website. Does using a Linux-based operating system prevent you from giving up your personal or bank information? Not at all.

And what about Heartbleed or Shellshock, or any other vulnerability of your choice? No, no system is invulnerable.

2 – Virus writers do not target Linux because it has a low market share.
Well, if it is true that Linux distributions (distros for short) have a low market share in the desktop landscape, the same cannot be said for other markets.

In the server landscape, Linux distros have almost 40% of the market share, while they hold a near-monopoly on supercomputers.

Finally, in the mobile landscape, Linux-based Android has the majority of the market share. According to Hugo Barra (Google’s Android VP of product management), in May 2013 there were 900 million Android devices.

3 – Windows malware cannot run on Linux.
Not exactly, truth be told. Although their number is still pretty low, there are more and more cross-platform threats. This is due to the multi-platform frameworks which are available nowadays also under Linux. Frameworks such as: Adobe Flash and Reader, Java, JavaScript, Perl, PHP, Python, Ruby, etc.

Just to give an example, in July 2012, we wrote about a multi-platform backdoor named Troj/JavaDl-NJ, which runs also on Linux.

Furthermore, Linux servers are often used to harbor Windows malware. When you click on a malicious link, the likelihood is that it directs you to a Linux server.

4 – On Linux you install software from software repositories, which contain only trusted software.
Beside the fact that social engineering is not the only way to get a malware infection, are you completely safe just because you use software repositories?

Let’s just take an example and search “How to install Java on Ubuntu.” You will immediately find tens or hundreds of step-by-step guides that suggest you add a particular PPA repository in order to install the latest version of Oracle Java (and as with Java, you will see the same pattern for many other software).

$ sudo add-apt-repository ppa:…

But who is the maintainer of those repositories? This clearly depends on the link you opened and on the repository that is suggested. But, in the case of Java, it is not Oracle itself. Which means that you do not really know if it’s a legitimate or a malicious repository.

Linux threats by the numbers

The number of “in the wild” threats for Linux-based operating systems is still way lower than threats for Microsoft Windows or Apple OS X.

However, the threats are real. For example, Linux-based web servers are constantly under attack. Just to give you some numbers – at SophosLabs we were seeing an average of 16,000-24,000 compromised websites a day in 2013.

The numbers don’t look any better today: during the first week of March 2015, we added detection for almost 190,000 new malicious URLs. Of these new malicious URLs, the number of unique malicious domains was over 70,000.

This means that, on average, we were recording around 27,000 new malicious URLs per day and over 10,000 malicious domains per day.

Canonical, which is one of the most security-aware Linux companies, is also keeping a (not so up-to-date) list of Linux malware:

Improve your Linux security posture

Most Linux distros come with some advanced security tools (although most of them are often pretty hard to configure – in other words, prone to misconfiguration).

So, if you are a tech-savvy Linux user, you should at least look at the basic security guidelines of your Linux distro.


I’ll be offering some security tips to protect your Linux desktops and servers in another blog post in the coming days – so make sure to follow our blogs and keep up to date with Sophos, SophosLabs and Naked Security on social media.

Sophos Antivirus for Linux 

Do you need antivirus on your Linux machines? In a word: yes.

One common objection to installing antivirus is that it can affect the machine’s performance. Fortunately, Sophos Antivirus for Linux has a small footprint and minimal impact on system speed. Basically, you won’t know it’s there – except, of course, when it detects and blocks a threat from infecting your machine or spreading to your users’ workstations.

The best thing about it, Sophos Antivirus for Linux is available now for FREE. Go try it out.

Paolo Rovelli works in SophosLabs as a software engineer in the systems development team.

31 thoughts on “Don’t believe these four myths about Linux security

  1. ” Does using a Linux-based operating system prevent you from giving up your personal or bank information? Not at all.”
    How does any OS preventing that? Completely unrelated.

    “Virus writers do not target Linux because it has a low market share.”
    You mean desktop market share. On the servers market share (where the really important stuff is done), Linux is the king.

  2. Well, you’re encouraging your readers to familiarize themselves with “basic security” guidelines for their distros, but the ones for Ubundu command them quite explicitly: “do not install antivirus, as you *really* don’t need it in Linux;unless you share files with Windows” and assure that “at the time of writing, there are no known viruses on the big bad web designed to target Linux. A few targeting Windows can execute in a manner that could allow compromise of a Linux system via an interpreter layer like Wine”. For what it’s worth, the time of writing (“last edited”) is 2012.

  3. it could be possible for Malware to be cross-plataform. But that doesn’t mean, it would work in all the OSes, E.g. say a windows virus deletes all the file in c:/windows/system32. In Linux, there is no system32.
    It seems to me, you’re trying to trick people into buying your software (i know, it’s free. But Sophos gains clearly something out of it, because it’s not open source!)

    • i would say “good job” for trying to look smart.. but no, not really. As if someone writing a payload to be cross-platform wouldn’t add the simplest ‘if/then’ to say ‘if windows, delete \windows\system32, else delete /boot’ smh.

      • The difference is not so much file paths, rather, underlying system differences… Super easy to escalate privileges on Windows, not so easy on Linux. It’s not a simple if/then, buddy. I can tell you know little about Linux. If something deleted /boot, who cares… Live boot and copy back… Antivirus is useless on Linux as malware does not function the same way.

  4. With so many Linux distros, it is hard to disregard the possibility that some of them by default have features, intentionally built in by their creators, to perform malevolent, hardly detectable functions, without the knowledge of a user. Privacy issues that have been raised regarding Windows 10, can hardly be surprising, given the prominence of the most popular desktop system but more obscure (even more popular distros) might never raise any suspicion among less tech-savy users.

  5. Our Linux teacher was mistakenly handing out viruses to all the students in our class.

    He didn’t know he was carrying viruses, as he used no antivirus, so when he was handing us software with distros to test, pretty much everyones laptop in the class got infected.

    When I complained, he agreed it was likely his doing by mistake (he wasn’t affected by the virus himself), so was unaware, but it just goes to show that everyone needs Anti-virus software. He became the Linux repository for viruses, so to speak.

    Just like a human body with no immune system, if you run into a virus that could affect you, you will be completely naked to it.

    Its common sense…

    • I agree with you. One great way for the teacher in question is to use an older, cheap machine booted up with a live linux based rescue disc (ClamAV, Sophos, AVG, Avira, Bitdefender, Kasperski, etc.) to scan and clean any media containing software he wants to hand out.

      I feel for him as I had this happen at a second hand computer store my friend owned. I helped out installing software on refurbished machines. As my system is Ubuntu, all those viruses (not downloaded by me btw but already present on the USB drives I was using) didn’t get run. I should have known better scanned the drives before sticking them into Windows machines.

      Still, installing antivirus software on your own Linux system, that’s just unnecessary. Use a live distro built for it so you use most resources to scan for viruses without losing capacity to having to run it together with your own system.

  6. I agree we Linux users should improve our security, for different reasons. There are many techinques nowadays to sandbox our apps in case they have vulnerabilities. Installing an antivirus is obsolete. The antivirus are innefective against the polymorphic viruses of the 21st century. And if you don’t want to infect windows users, all you have to do is delete the autorun.inf files that your usb disks gets whenever you plug it in a windows box.

  7. All good points. Also, nobody gets paid to break Linux (at least not like at Microsoft and Apple). Both Microsoft and Apple have large teams of engineers that are paid to constantly try to compromise their systems. Sure, white-hat hackers bring a lot of vulnerabilities to light, but this is far from an organized effort to harden specific aspects of an OS. The best thing that I used to say about Linux security is that, because of point 2 above, using Linux used to be a lot like flying under the radar. The bad guys just weren’t interested, because there was no way to make a big splash attacking Linux. But the nature and motives of attackers has evolved; it’s now more about what they can get than what they can do. The best thing about Linux is still the cost, but for my part, I find that many of the free applications are just not as robust as the commercial alternatives. Choosing Linux is almost like a lifestyle choice. If you’ve got the time, motivation, know-how and diligence to make (and keep) it secure, it’s a fine choice. I certainly have the background to do this, but I’m too focused on the work that I’m doing ‘on’ my OS to devote large swaths of my time to security ‘for’ my OS. Too bad, really; the basic design of Linux is far superior to products like Windows. In theory, Linux should be much more harden-able.

    • That’s not true at all. There are tons of bounties for finding Linux security flaws. Google once was offering 50,000 for root escalation on Chrome os, which is Linux based. Linux powers so many businesses… Do you really think Amazon, Intel, IBM, Google, etc. don’t have their own teams constantly checking for vulnerabilities? The fact is that they do and they contribute a lot of that work back to the community.

      • In addition Suse, openSuse, Fedora and Red Hat are all big business backed, and feed into the free versions. IBM, Novell, Red Hat, google and others have very large capabilities and vested interests in securing the platforms.

  8. One has to really try to get a virus on Linux. If you use safe repositories (which can be checked with very little effort), don’t run as root, install and use your firewall, and install software from untrusted sources, I defy you to become infected! The number of Linux and Mac viruses in the wild are still unbelievably tiny compared to Windows. Sorry, this is FUD.

  9. I have a product, how do I sell/popularize it? By scarring people with false claims. Good strategy.

  10. Trust your open-source-OS security on propietary software. It sounds like a pretty good strategy!

  11. Hi Sophos Guys, this what I have been advising my customers all the time, AV companies always making a statement that Linux is not safe. Chief, FYI Troj/JavaDl-NJ, when it attacks a PC where usually with Administrator privileges, it will just run when you click the “OK”. In Ubuntu or even Redhat, we have tested it; it will ask the user to key in the root password. So mostly for Linux users, it does make NOT any sense why I need to use root privileges for a typical Javascript to run, Hense Linux security is better.

    And for everybody here, Anti-Virus is Dead for Windows. No way Av can stop malware of virus anymore ( well unless they the one who created it). Update you AV to the latest update and please ensure you have the latest Window pacthes, let me send you a file and see whether I can have remote access to your window machine. Move to Linux or Mac OSX ( please don’t run as root/admin!). Just move.

    • Most Windows users are running as admin. Same for OS X. You can’t convince non-IT people to create a separate account, with a different password, which they need to enter each time they want to “do something”. Heck, I can’t even get my colleagues in IT to do it. If the basis of your argument is that “if they were on Linux, they wouldn’t have these other bad habits that are the real root causes of today’s horrible security issues”, well…

      • That’s not true. Almost all Windows and macOS users (it’s not called OS X any more) in the modern era have the right to promote themselves to an admin, but their accounts aren’t root all the time. Indeed, Windows 10 even has separate menu options for Command Prompt and Command Prompt (Admin).

        All the mainstream Linux distros I’ve tried lately automatically add the user you create at install time into the wheel group and enable that group to use sudo for any command, e.g. sudo su -. So you’re still only as safe as your own common sense and restraint on all platforms :-)

  12. This article is really a very poor representation of the state of Linux. It may be that the writer is sloppy or poorly informed but it’s a black eye for this to be on the site and it’s a sad piece for whatever it’s goal might be.

    In a nutshell, Linux is used on more devices that attach to the Internet than Windows is. You have to break it down by:

    – Desktop (Windows and then Apple lead), server (Linux absolutely dominates)

    – Mobile (tablets and phones — Android is linux, iPhone is iOS which is related to MacOS which is based on a Unix-like OS that has much in common with Linux, Windows is a tiny slice of this market)

    – Embedded (ktichen appliances, thermostats, printers, etc. — almost all run Linux) and

    – Media devices (Linux dominates with products like Tivo, streaming devices like Roku, smart TVs although Apple has a big footprint with Apple TV which runs iOS).

    Each of the above, Desktop, Server, Mobile, Embedded, and Media Devices have their own security challenges and threat vectors.

    Apple absolutely thrashes Windows on security — both how difficult the devices are to hack, how deeply security goes across hardware and software (Touch ID from Apple with the corresponding secure enclave on the CPU is both extremely secure and a superb way to enable increased levels of security across apps and data on the device), and in protecting your data on the device (Apple’s rules for iOS apps are driven by a strong security model).

    On the sever side, Linux absolutely crushes Windows on security. Windows machines have two main weaknesses — they have many vulnerabilities and, it’s easy to escalate privs that allows code to access anything on the machine.

    On mobile, Apple’s iPhones running iOS absolutely thrash Android. Android has issues with stock firmware at the BIOS level (which allows anyone to re-image the device with whatever OS they want e.g. Cyanogen), Android has issues with not being able to be updated easily which prevents patching, and Android does not have and end-to-end solution that stacks up to secure enclave + TouchID biometrics like Apple does. There are no instances of credit card fraud with Apple Pay. There’s a reason for that.

    Everything can be hacked but some things are inherently easier to compromise.

    Stepping back, I would say Redmond does not prioritize security like Apple. And Redmond does not have security as an inherent aspect of product design like Linux / UNIX does. Redmond knows their weaknesses but has not found a way to commit to security like they may have. Windows also has the issue that Apple has avoided of needing to run on 1000’s of different hardware devices each of which has standard firmware and may have Windows or 3rd party drivers. Linux has this same issue with 1000’s of devices to support but Apple does not. I think Apple writes it’s own BIOS, boot loader, and drivers with security and performance in mind. I don’t know if Apple does it’s own firmware for e.g. disk drives but, it’s coming if it’s not here now due to what’s been revealed about NSA this week with their hard drive firmware attacks.

    To be clear, NSA is attacking operating systems, encryption, Internet switches/routers, and firmware. Two of those things (Internet switches and firmware for hard drives) have nothing to do with operating systems.

    All FYI.

  13. A bad article by an inexperienced user. I’ve been working with Linux for over 10 years, both privately and professionally, and Linux is far more secure than they describe it here. Their embedded myths are the reality, which by no means describe something that does not exist. And the majority of all attacks on Linux were due to unsafe configured systems, not to general problems that made attacks possible. In addition, there is a very fast closure of safety gaps, which considerably hinders potential exploitation. Likewise, no system can be secure if you take a standard installation, and nothing else will do, nor protect your services, or even use unsafe passwords. Above all, Ubuntu-based systems are not, under the auspices of Canonical. In many respects, Ubuntu is incompatible with the source, has poor repository maintenance, uses Sudo in a highly uncertain way, splits from the community to go exotic dubious ways, and is a bad role model for what Linux can be. But Mir is a straightforward example of this nonsense. For years announced, and while Wayland is already being actively spread, Mir is just an immature concept. Likewise, Snappy compelling AppArmor to be half-safe, compared to Flatpak. In short, Canonical is a disgusting software shack that denies ways that no one wants to go seriously in mind.

    Even if Linux is significantly resistant to a variety of threats, it is important to say that real security always means work. There are so many ways to secure Linux, which are often not used, although they are easy to use. Not unnecessarily complex constructs like SELinux, or the semi-giant AppArmor, both with a kernel exploit away from the window, but primarily GrSecurity, as well as sandboxes, virtualization using Xen / KVM, Systemd, Firejail, Namespaces, seccomp-bpf, Linux-Capabilities and more. You should also always use LVM-Volumes, and create an effective Volume-Separation, as well as assigning your own security zones for each area. Here, Linux offers so much to come close to a security of 100~%, but it is hardly used. It is also impossible to speak of myths when the unique potential is simply not exhausted. So many security problems could have been prevented, whether in terms of servers, Android and more. But as long as the wrong people determine about security in companies, nothing changes. They do not pay for something that only costs money, and does not bring any visible yield.

  14. The argumentation here is just ridiculous. Basically each point is a blank joke. Take for example 4 – On Linux you install software from software repositories, which contain only trusted software. That’s actually a pretty good point in favour of linux. I have never heard of any malware being distributed via e.g. ubuntu repositories. Saying that you can principally add ppa repositories and that this makes linux less secure is really RIDICULOUS. If you allow anyone to execute an unknown software on your system with admin (i.e. root) permissions then any system gets insecure. Then you can also argue: Linux is not secure because when someone sees you typing in your password, then you are screwed. Or: Linux is not stable because the computer breaks when it has no electricity. Surely there are some basics that any user must fulfill. And in that regard 4. is just bullshit as allowing an unknown third party to allow arbitrary code with admin rights will always be dangerous. And there I actually see a plus for linux as adding a ppa is only possible in the command line and will thus only be used by advanced users (that hopefully know the danger) while for windows there isn’t any trustworthy source for software AT ALL.

    • You need to get out more :-)

      First, trusted software components (including the kernel itself, and ubiquitious libraries like OpenSSL) have frequently ended up both trusted and broken at the same time, sometimes with exploits that the crooks found first.

      Second, there have been at least a few surprising breaches at mainstream distros, where even complete ISOs have ended up replaced with malware.

      Here’s an example:

      And whether you like to hear it or not, there are many perfectly trustworthy sources for Windows software (such as Microsoft’s own Windows Store).

      No one is trying to dismiss your beloved Linux as fundamentally dangerous or insecure. But there’s a sort of “appeal to perfection” that seems to have taken root in a vocal minority in the Linux community. We’ve got a bunch of myths – myths that should have died out last century! – that have turned a statement such as “Linux can be made very secure with little effort” into an almost religious belief that “Linux is so secure by default that it makes thinking about security unnecessary”.

      If it really were as easy as you imply to run a sealed-and-secured Linux-based system, we wouldn’t have found the results we did in this research:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s