(Chad Perrin, TechRepublic)There’s a lot of debate over what constitutes a “secure” operating system. The debates seem to become most heated when people compare the Big Three of home desktop OSes — Microsoft Windows, Apple MacOS X, and the Linux family of operating systems. Of course, it’s difficult to convincingly offer a definitive declaration that any given operating system is “more secure” than another.

OpenBSD is rightly proud of its record of only two identified remotely exploitable vulnerabilities in default configuration through its entire stable release history, but even this is not proof positive that an OS is the “most secure”, considering that security needs change from one system deployment to another.

Ultimately, any of the widely used general purpose OSes can theoretically be compromised. The recent popularity of virtual machines, allowing one to simultaneously run multiple virtual computers on a single physical hardware platform, has provided hints of one particular threat that may apply even to an OS running outside of the controlled environment of a virtual machine: compromise by altering the OS image in memory during boot. This kind of danger has become something of a common bogeyman for VM users, as they worry that some piece of malware may be able to break free of the limits of the VM, and affect the OS in ways that have not previously been a concern for operating system installs on “bare metal”.

In theory, however, there is no specific reason something similar cannot be done to a system running without the virtual machine environment, as long as malicious security crackers can find ways to access the machine’s boot process itself. This may be prohibitively difficult to achieve remotely, at this time at least, but it presents a very worrisome state of affairs for cases where a security cracker may have physical access to the computer.

In the case of Microsoft Windows and certain Linux distributions, this concern is not just theory. It is also a very concrete reality. Piotr Bania has put together a proof of concept, a boot compromise tool called Kon-Boot, which so far has been tested and confirmed to work on at least four Linux distribution releases and a slew of common MS Windows releases.