Showing posts with label CVE. Show all posts
Showing posts with label CVE. Show all posts

Monday, October 19, 2020

Why Linux is safer than Windows and MacOS

 Linux is often mentioned as more secure than Windows and Macs. Let's learn why.
Photo by Philipp Katzenberger on Unsplash

On previous posts, we discussed why use Linux, why developers love Linux and understood how can Linux be free. Since one of the fantastic benefits to run Linux lies in its security model, let's understand  how that works and learn why Linux is indeed safer than Windows and MacOS.

Open-source code

Among the many reasons, being open-source by nature is definitely one of the most important reasons Linux is safer. Due to the openness imposed by open-source software, the code is frequently inspected by security researches who report vulnerabilities back to developers who fix them as fast as possible so that the fix gets to users before the threats. This constant cycle makes Linux more battle-tested resulting in less exploitable security flaws.

Enterprise-Grade security

Since how critical Linux is for the functioning of the internet today, there are lots of eyes on its security model. Government agencies like the NSA and others collaborate to build enterprise security tools like SELinux and AppArmor. But Linux's enterprise-grade security goes beyond that. In fact, there are multiple reasons that make if more more secure then other systems, including some features we'll see next such as a security-aware architecture, frequent updates, native disk-encryption, encrypted virtual machines, integrity sub-systems that can be used to detect if a file has been altered and encrypted data at rest.

A hardened permission model

Differently from Mac and Windows, Linux users run on a low permission level called Discretionary access control (DAC) which restricts access to objects based on the identity of subjects and/or groups to which they belong. This feature makes  the system less exposed to viruses or ransomware which will most likely have little impact on your system. On top of that, kernel level monitoring tools like SELinux and AppArmor monitor application and block suspicious activities if necessary.

Kernel-level Security

There are multiple other security features at the kernel level including DAC (previously mentioned), POSIX ACLs, Namespaces (that limit the resources available to a program), Linux Security Modules (LSM) which implement hooks at all security-critical points within the kernel, Linux IMA (Integrity Measurement Architecture), a subsystem that integrates with the Linux kernel to validate hashes of files before their contents are accessed, and a cryptographic API is provided for use by kernel subsystems.

Network-level Security

Linux's networking stack is really powerful and traffic passing between the interfaces has to adhere to networking policies. Kernel-level modules may hook into frameworks to examine packets and make security decisions about them. On this space, Netfilter and iptables are very common.

Enterprise-grade Cryptography

Linux counts with a cryptographic API that can be used by the kernel. It provides support for the most popular and widely used cryptographic algorithms and support for IPsec, disk encryption via ecryptfs and dm-crypt, and kernel module signature verification.  Linux was also one of the first systems to gain support for hardware-based encryption.

Static code analysis

Linux distributions are have also the source code automatically scanned via static code analysis tools. These tools identify errors in programming, memory reference and input stream validation to ensure compliance with coding best practices.

Secure default compiler flags

Special compiler flags are used when compiling Linux code. These flags use Position Independent Execution (PIE) and Relocate Read-Only Object (RELRO) functionality to run applications and assign memory segments in a nonpredictive manner. This helps to prevent stack smashing, mitigate memory corruption, and provide control flow integrity hardware support.

Quick response to CVEs

Most Linux distributions have a dedicated team of security experts reacting fast to threats. With that, Linux users are usually the first to get fixes for CVEs (critical vulnerabilities). But it goes beyond that. The open-collaboration model previously mentioned fosters collaboration between a network of security researchers and organizations so that as soon as the fix is ready, it can be distributed in parallel by multiple vendors to their clients.

Open collaboration

Open-source code also fosters open collaborations. Developers and security researches from different organizations throughout the world openly collaborate, frequently pushing fixes and security patches to your system as often as necessary. This collaboration model results in less exploitable security flaws and more secure systems.

Frequent and Automatic updates

Linux distributions are frequently updated meaning that you will be getting the latest security, software and kernel fixes. These are usually the holes crackers explore to target you and your company. Getting updates quickly is also important to mitigate zero-days.

Less viruses, less ransomware, less threats

Despite still being subject to viruses and ransomware, the previously mentioned features combined with a significant smaller percentage threats of make Linux much safer than Windows and Macs (but not immune). And Linux also has anti-viruses if the system administrators need need too.

Curated repositories

The easiest way to install software on your Linux is by using its own repositories. These repositories are curated and are less prone to have viruses since they usually only contain open-source software that has been reviewed by a wider audience.

Native disk-encryption

Most distributions offer native disk encryption during the installation. Native disk-encryption is essential today as users frequently transport their devices out of the company's secured space. If lost or stolen, the only way to access the data would be by entering the encryption password.

Robust Integrated Firewall

Linux also comes with enterprise grade firewall set to block suspicious activities automatically. These policies are also updated regularly with the rest of the system so your system gets protected as soon as the organizations release  

Millions of hours of review

Overall, each of the items discussed previously account in in-depth review for specialized professionals. Cumulatively they mean literally millions of hours spent by experienced professionals reviewing not only the software you run but also battle-testing it.

Thousands of hours of test

And finally, before reaching your workstation, a big community of specialized technicians (and volunteers) test the tools you'll use. They're the last to ensure that not only you'll run safer software but, differently from other systems, updates and upgrades won't break your system.

Long-Term Support (LTS)

Differently than proprietary software, enterprise Linux distributions offer long-term support (LTS), a product life-cycle management policy in which a stable release of computer software is maintained for a longer period of time than the standard edition. Usually 10 years for RHEL, SUSE, CentOS and Ubuntu LTS. This initiative definitely reduces risks for organizations that prefer (or have) to run software for longer as their systems will keep receiving security updates.


On this post we reviewed how a multitude of security features from the kernel (the core of the operating system) to the user space make Linux is more secure than Windows and MacOS. Excited to try out Linux? There's lots more to learn more about Linux on this site and around the web. Feel free to explore!

See Also

Featured Article

Free Software, Open-Source, Libre, FOSS and FLOSS: what are the differences?

Are these just different names for the same thing? Or there are differences? Photo by Romain Vignes on Unsplash We have been discussing...

Popular this Week