It’s been an apocalyptic year for Linux security, with a sophisticated Trojan and security holes over 20 years old. The Shellshock bug left Linux desktops and servers wide open for anyone to own. Security updates fixed these problems—but you may not even be getting those patches.
Security revelations in 2014 shattered the myth of Linux impenetrability. No, the sky isn't falling, and yes, Linux is still inherently more secure than Windows—but this year proved that Linux lovers still need to pay at least some attention to their system’s protection.
Turla’s been infecting Linux systems for years
Security researchers have known about a piece of malware called “Turla,” “Snake,” or “Ouroboros” for years. Turla is an extremely sophisticated piece of government-sponsored malware—one that appears Russian in origin. As usual, it was Windows malware.
But, this week, Kaspersky unveiled it had found a Linux version of Turla. This Trojan has been silently infecting Linux systems for years. It’s based on an open-source backdoor program called cd00r. Turla listens to network traffic and allows an attacker to run commands on the infected Linux system. Crucially, the Trojan doesn’t require root access—it just runs as your standard user account, so all the sudo and privilege restrictions used on the Linux desktop won’t hinder it. While it’s a network service, it’s clever enough to hide itself from the netstat tool so you won’t see it listening if you start looking at your network connections. Read Kaspersky’s blog post for the gory details.
This is terrifying for a few reasons. It demonstrates that, yes, Trojans can infect Linux systems. And, no, not having access to root won’t necessarily stop a piece of malware. All the interesting stuff like online banking happens under your user account, anyway.
Realistically, Turla probably isn’t infecting your PC. You’re probably not a target. As a government-sponsored piece of malware, Turla is designed to infect targets for purposes of surveillance or corporate espionage, not to steal your credit card number. But there’s been a Linux Trojan infecting computers around the world for years now. Yes, Linux Trojans are possible and do exist.
X.org has security issues going back 20+ years
Late last year, we learned there are a huge list of security vulnerabilities in the X.org graphical server and its libraries. Some of these security holes have been around for more than 20 years. The researcher who discovered these holes said X.org security was a disaster, and “it’s worse than it looks.”
This week, many of these security vulnerabilities were made public knowledge. Your Linux distribution should be rolling out security updates for your X.org server and proprietary NVIDIA driver shortly, if it hasn’t already. But, even after these patches, X.org security still doesn’t inspire much confidence.
X.org is such a big problem because it’s based on the X11 architecture, which originated 30 years ago. Thankfully, new graphical server technologies like Wayland and Ubuntu’s Mir are about to take X.org’s place.
Shellshock was terrifying for Linux desktop (and server) users
Remember Shellshock, a bug in the Bash shell used on Linux and other Unix-like systems? The advice from security experts at the time was that it didn’t affect desktop users. Windows PCs didn’t have Bash. Macs did, but it was only used by advanced users who went looking for it.
The situation was different on Linux desktops and servers, where Bash is used constantly. Terrifyingly, every DHCP request your computer makes was run through Bash. So, if you visited a compromised public Wi-Fi hotspot on your Linux laptop and connected to it, the DHCP server could give a response that would force your Linux system to run an arbitrary command—possibly downloading some sort of Trojan. Here’s an easy proof-of-concept attack.
Security updates quickly neutered the threat for desktop Linux users, but the Shellshock vulnerability was present in Bash for 20 years. Sure, we don’t have any indications of widespread attacks against Linux desktop users, but that’s not the point. The point is that Linux desktop systems were wide open. When Linux users gloat about how much more secure our systems are than those Windows desktops, we might want to remember how Shellshock affected us.
Are you even getting security patches?
Thanks to the way Linux packaging and software repositories work, you may not even be getting the security patches developers release. Sure, you’ll generally get them for your web browser and other important pieces of software that are considered “officially supported,” but what about the other packages the community is responsible for?
There are lessons to be learned from the ownCloud packaging mess in Ubuntu. This piece of server software wasn’t getting updates in Ubuntu. The community member who originally packaged it just decided to move on, leaving the ownCloud package orphaned and vulnerable.
And that’s just with Ubuntu. Be careful if you’re using one of the smaller, niche Linux distributions. The Arch Linux-based “Manjaro” distribution hasn’t been receiving timely security updates like it should. This is understandable if you’re using a small distribution and the developers are working on it as a hobby, but it’s something to watch out for… and a risk to actual users.
Linux system security is a broken, but so is everything else
So your Linux system isn’t as secure as you thought it was. Well, that’s not really an attack against Linux in particular. All computer security is pretty bad. As Quinn Norton titled her excellent rant on the subject, “Everything is Broken.” Yes, even Linux, and—more importantly—all the software programs you have to put on top of Linux to get a functioning system.
Linux will continue to have nasty security holes, but again: the sky isn’t falling. Your Linux system is still far more secure than the average Windows desktop. Attackers are more interested in targeting the larger Windows install base. And Linux does have a great security architecture Windows lacks, too—simply getting most of your programs from a centralized software repository instead of a gaggle of websites helps a lot.
No, you don’t need to start running antivirus software on your Linux system, but be aware: You’re not perfectly safe on Linux, or any other system.
Like all those Windows and Mac systems out there, your Linux system is full of security holes. We just haven’t found them all yet. Be humble when talking about Linux’s security or you may find yourself with egg on your face when the next Shellshock bug blows up.