Is open source software vulnerable to viruses?

security open-source
5,038

Solution 1

Open source is not inherently safer. It might be a little bit, due to the following reasons:

  • Potentially more people look at the code, so bugs allowing for security vulnerabilities are more easily spotted. (Also, it's not true that open source means attackers can just slip in hacks, as some people might be led to think - code is still checked before included in any project. Unless of course the project itself is malicious.)
  • An openly governed project creates an ethos of contributing back, e.g. when a security flaw is found, this is reported (and subsequently fixed), rather than exploited).
  • The creators of an open source project often have no incentive to deny that vulnerabilities exist until a fix is found -- the more people know about it, the more likely it is someone will know how to fix this.

This will only marginally make it safer, though, since bugs will still exist and people will be using their powers for Bad rather than Good.

When it comes to Ubuntu and all other Linux distributions, though, fact is that it has been designed from the ground up from a multi-user perspective, with one user being able to make modifications to the system and the rest only being allowed to change what's relevant to them - in Windows this was rather tacked on later on (though probably works pretty well by now (Windows 7)).

Still, one could easily write a virus that removes all of a user's personal files. The biggest reason for there being no virus for Ubuntu, is simply that it has a really, really small market share. Thus, there is little to gain and little incentive for a hacker to go through the extra trouble of supporting Ubuntu when they could just target Windows and gain a lot. That, and users of Linux are often more well-versed technically, so would be less likely to install something of which they do not know what it does (though then again, the absence of viruses may lead them to trust everything they download).

(Then again, Ubuntu's update model, among others, is much better than Windows's, meaning that fixed for vulnerabilities can be distributed far quicker.)

Solution 2

It's not that they couldn't exist. It's that by and large they don't.

The security model being a little more complicated on most open source systems and the peer review of code by other developers both lead to this.

Here's an example:
For closed source applications -
You're developing an application, and you use some windows library. It crashes when you pass it an incorrect parameter. You tweak your application to pass the parameter properly so it works and move on.

Same scenario for open source applications -
You're developing an application, and you use some linux library. It crashes when you pass an incorrect parameter. If you think the way you passed it is sane, you see why it crashed and submit a bug-report to the library package with a patch to make it work as anticipated. If you think the way you passed it was wrong, you see why it crashed and submit a bug-report to the library package with a patch to make sanitize that input.

See the difference in the outcome on the two scenarios?

And why not an antivirus?
The best answers I can come up with on why not antivirus are this, this, and this. Anti-virus has a place, but it's not a solution.

Solution 3

In addition to what everyone else has said, what it comes down to is this:

Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix will be obvious to someone.

In plain English:

given enough eyeballs, all bugs are shallow

Via wikipedia

As such, since all security issues are bugs, this applies.

In addition, antivirus is a last-minute defense: If the virus/security flaw got to your system, something else is dangerously wrong. With open source, you have more flexibility with finding out who, what, where, when, why and how it got to that point.

Solution 4

Firstly, I'd like to clarify that not all FOSS software are Virus Proof

The amount of viruses and bugs in a program depends on the developer and the community

But, FOSS software have a better resistance to viruses in the following way

Let me give you an example

Closed source:

  • X closed source software has Y company maintaining it

  • X software gets a virus/bug

  • Y company now has to have its employees to look into the issue because the community does not have the source code, which usually takes some time

  • Bugfix by Y company

Open Source

  • X open source software has Z community maitaining it, alongwith Y Developer/Company

  • X software gets a virus/bug

  • Y company/developer tries to work it out alongwith Z community

  • Bugs get fixed faster

So, the security of FOSS software depends on the strength and willingness of the community to help in development and maintaining

Solution 5

If you are asking about the code being hijacked or malicious executables being added, the only method to remain truly safe(in paranoia) is to manually check the source code and compile it yourself in case the downloadable version has other malicious code.

Share:
5,038

Related videos on Youtube

Ranjit Shinde
Author by

Ranjit Shinde

Updated on September 18, 2022

Comments

  • Ranjit Shinde
    Ranjit Shinde over 1 year

    I understand the ideas behind open source software, but I am more interested in the security aspects. How is open source software not exposed to viruses or any kind of Internet attack? How does it stay secure over time? I have heard that open source software is prone to attacks, but the chances are less than Windows-based software. I am unclear about this.

    And why do some Linux users not use an antivirus?

    • Amith KK
      Amith KK about 12 years
      This probably belongs on IT Security SE :D.
    • Ranjit Shinde
      Ranjit Shinde about 12 years
      Ya even i thought so after posting here but its totally abt Ubuntu which i am using that's y and a very basic question i thought...well lets c :)
    • FabienAndre
      FabienAndre about 12 years
      duplicate askubuntu.com/questions/33707 (which havec been closed as off-topic...)
    • Ranjit Shinde
      Ranjit Shinde about 12 years
      @Everyone ...Thanks a lot... that really cleared a lot of things
  • Ranjit Shinde
    Ranjit Shinde about 12 years
    @asking1012 Oh k...i get it but is it just bug reporting that is keeping the virus away? I am not clear still...I didnt get a proper answer from experts thats the reason i posted it here in a forum... it may sound a bit silly but i need an answer still :) thanks for the example anyways.
  • RobotHumans
    RobotHumans about 12 years
    Difference being that on the linux side, the bug gets fixed. On the non-OSS side the bug gets worked around
  • Ranjit Shinde
    Ranjit Shinde about 12 years
    Oh k thanks so you also vote it as bug fixing ...hmmm :)
  • Ranjit Shinde
    Ranjit Shinde about 12 years
    Oh k :) But we don't have any anti virus rt? Thats for sure?
  • nanofarad
    nanofarad about 12 years
    @bebojoor ClamWin is a good, open-source Ubuntu antivirus. While there are few anti-viruses for Linux, Linux is written(With sudo and apparmor) to be more resistant to viruses, lessening the demand. However, you may wish to scan for viruses if you will be using files both on Windows and Linux, or if you are giving files to your Windows acquaintances, just to be sure.
  • Ranjit Shinde
    Ranjit Shinde about 12 years
    ...That made it more clear. :)
  • Ranjit Shinde
    Ranjit Shinde about 12 years
    That was exactly the direction i wanted this discussion to continue. Thanks a lot for the answer. That is what i also thought, since ubuntu distributions are open source, how is it that hackers do not take advantage of it.hmmm really what i wanted. +2 vote up :)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Any open-source software that is similar to Fortify?
Salt Generation and open source software
Where can I find a deliberately insecure open source web application?
How to manage OAuth flow in mobile application with server
Are compile-time variables secure in flutter?
Why is it bad practice to use an FCM Server Key on a Flutter/Android client?
How to protect Flutter app from reverse engineering
GDPR and personal data
Securely Saving API Keys In Android (flutter) Apps
How can I prevent backup for user data in flutter for iOS app?