Analysts: Security flaws won’t undermine Linux

Although two potential security vulnerabilities affecting the Linux operating system have surfaced in the past three weeks, analysts and two users say the incidents won’t erode confidence in Linux as a secure and economical alternative to Windows and Unix.

“I don’t think we have any concern in particular about [choosing] Linux,” said Matt Fahrner, manager of network services for Burlington Coat Factory Warehouse Corp. The Burlington, N.J.-based retailer of clothing and other consumer goods moved to Linux for much of its retail IT infrastructure in 2000.

Fahrner said he found the Linux community to be far more responsive than traditional, proprietary operating system vendors when security issues have cropped up, issuing fixes and patches quickly and publicly.

“We haven’t found [the news of vulnerabilities] as something that now dissuades us from the operating system,” he said.

Last week, a security flaw affecting Linux was found in the widely used zlib file compression library, which helps speed network file transfers. The flaw in a memory allocation routine could provide a path for an attacker to send malicious code and take root control of the machine.

Three weeks ago, a vulnerability was reported in a Netfilter firewall component used in various versions of the Linux kernel that could result in open ports that would allow intrusions by hackers.

“There’s a period of shakeout that every [operating system] goes through,” said Eric Hemmendinger, an analyst at Aberdeen Group Inc. in Boston. “I don’t think this will cause people to say, ‘Oops, this isn’t what we thought it would be.'”

Many other widely used operating systems, including IBM’s mainframe software, commercial Unix products and Microsoft Corp.’s Windows NT, have “gone through a period of security vulnerability issues, but they’ve been resolved,” Hemmendinger said. “IBM went through this period, and they put it behind them.”

Brian Dewey, a network engineer at retailer Raymour & Flanigan Furniture Co. Inc. in Syracuse, N.Y., said the recent zlib and Netfilter issues haven’t caused him any worries about his use of Linux for point-of-sale terminals in 50 stores and in firewall and other back-end systems. Dewey said he’s satisfied that fixes are posted in short order to help users. His company, which has used the operating system for two years, is installing the zlib patches and updating Red Hat Inc. versions from 6.2 to 7.2.

Alan Paller, research director at the SANS Institute, a Bethesda, Md.-based nonprofit security group, said it’s not a surprise that more vulnerabilities are showing up in Linux, since the operating system is being used more widely in corporate computing. The larger deployment of the operating system means more problems are likely to be seen in larger numbers, Paller said.

Dan Kusnetzky, an analyst at IDC in Framingham, Mass., said the true measure of the problem is not whether security issues crop up, but how quickly they’re resolved.

“There is no such thing as an unbreakable product,” Kusnetzky said. Instead, users are more interested in whether their Linux vendors take quick action to announce and post fixes for new vulnerabilities, he said. “The fact that something has shown up is not a major negative [for Linux].”