Transcript 20030218 Windows Vs Linux 보안 취약점 비교

보안 취약점 비교
Linux vs. Windows
기술 사업부
(주)한국마이크로소프트
MITRE Security Vulnerabilities in 2002
MS
35%
OSS
65%

연구 결과에 따르면 380개 이상의 CAN/CVE 항목이 2002년 벤더 목록에 추가되었음.

전체 CAN 항목중 2/3이상이 OSS(Open Source Software)에 영향을 줌
CAN: Candidate for CVE status
CVE: Common Vulnerabilities and Exposures
총발견 갯수 : 386개
http://www.cve.mitre.org/cve
SP0
SP1
8/31/2000
10/2/2002
10/16/2002
MS02-056
MS02-061
6/12/2002
MS02-030
7/10/2002
7/24/2002
MS02-035
7/31/2002
MS02-039
MS02-034
8/14/2002
MS02-040
MS02-038
MS02-043
4/17/2002
MS02-020
2/20/2002
MS02-007
12/20/2001
MS01-060
7/26/2001
MS01-041
6/12/2001
MS01-032
12/1/2000
MS00-092
10/9/2002
CAN-2002-1118
10/28/2002
11/4/2002
CAN-2002-0386
CAN-2002-1264
6/15/2001
CAN-2001-0516
7/16/2001
CAN-2001-1321
CAN-2001-0975
CAN-2001-0974
8/2/2001
CVE-2001-0833
8/2/2001
CAN-2001-1041
9/17/2001
CAN-2001-1372
10/23/2001
CAN-2001-0832
CAN-2001-0831
11/30/2001
CAN-2001-0941
12/21/2001
12/28/2001
CAN-2001-1216
1/7/2002
CAN-2002-0102
CAN-2002-0103
2/6/2002
CAN-2002-0569
CAN-2001-1371
CAN-2002-0568
CAN-2002-0567
3/28/2002
CAN-2002-0566
CAN-2002-0509
4/16/2002
CAN-2002-0565
CAN-2002-0571
CAN-2002-0564
CAN-2002-0563
6/12/2002
CAN-2002-0562
CAN-2002-0965
CAN-2002-0561
CAN-2002-0947
CAN-2002-0560
7/17/2002
CAN-2002-0559
CAN-2002-1089
8/12/2002
8/13/2002
8/14/2002
CAN-2002-0858
CAN-2002-0856
CAN-2002-0857
SQL Server 2000 vs. Oracle 9iAS
2002
Oracle 9iAS - Enterprise Edition
- 32 Security Issues
6/15/2001
12/31/2002
SP2
12/31/2002
SQL Server 2000 : 15 security patches, 2 minor version
upgrades
http://otn.oracle.com/deploy/security/alerts.htm
IIS 5 vs. Apache
Apache : 보안 문제로 인한 15회 버전 업그레이드
IIS : 보안 문제로 26회 패치, 4회 버전 업그레이드
패치가 아닌 버전 업그레이드가 많다는 의미는 관리자들의 시스템 유지 보수에 부담을 주는 영역이다
IIS 5 vs. Apache
Exchange 2000 vs. Sendmail
8.11.2
8.11.4
5 68.12.0
8.12.1
8.12.2
8.12.3
8.12.5
10/8/2002
CERT CA-2002-28 Trojan Dist
8.12.6
12/31/2002
SP1
Exchange 2000: 8 security issues, 3 minor
version upgrades
5/29/2002
CAN-2002-0368
2/7/2002
CAN-2002-0049
9/26/2001
CVE-2001-0666
7/26/2001
CAN-2001-0509
6/6/2001
CVE-2001-0340
3/1/2001
CAN-2001-0146
CAN-2001-0337
SP0
8/31/2000
8.11.3
Sendmail 8.11.x-8.12.x: 6 security issues, 14 minor
version upgrades, 1 trojan horse found
11/16/2000
CVE-2000-1139
8/31/2000
8.11.1
9/27/2002
CAN-2002-1165-smrsh
9/25/2001
CAN-2001-0713
CAN-2001-0714
CAN-2001-0715
5/28/2001
CAN-2001-1349
8.11.0
8/16/2002
CAN-2002-0906buff overflow
2002
SP2
SP3
12/31/2002
http://www.cert.org/advisories/index.html
http://www.sendmail.org/ftp/RELEASE_NOTES
12/18/2000
12/18/2000
2.4.S1
2.4.S2
SP0
ISA Server 2000 : 5 Security issues,
1 minor version upgrade
2.4.S3
2.4.S4
6/11/2002
CAN-2002-0371
2.3.S4
8/16/2001
CVE-2001-0546
CVE-2001-0547
CVE-2001-0658
4/16/2001
CVE-2001-0239
2.4.S6
7/15/2002
CAN-2002-0713
CAN-2002-0714
CAN-2002-0715
6/4/2002
CAN-2002-0916
3/26/2002
CAN-2002-0163
5/6/2002
CAN-2002-0735
2/21/2002
CAN-2002-0067
CAN-2002-0068
CAN-2002-0069
9/21/2001
CVE-2001-0843
7/18/2001
CVE-2001-1030
1/12/2001
CVE-2001-0142
ISA Server 2000 vs. Squid
2002
2.4.S7
Squid : 12 security issues,
12 minor version upgrades
2.5.S1
12/31/2002
SP1
12/31/2002
http://www.squid-cache.org/Versions/v2/
Linux Distributions Lag Behind OSS
67 days between annoucement and updated package
dropping group privs - bogus data
(from 10/1/01)
8.12.1
6/25/2002
DNS map BO
CAN-2002-0906
6/3/2002
unix file locking DoS
8.12.2
8.12.3
8.12.4
8.12.5
10/1/2002
SMRSH
CAN-2002-1165
12/3/2002
Check relay
8.12.6
1/1/2002
12/31/2002
Sendmail 8.11.x-8.12.x. Five security-related issues cited.
8.11.6-3.i386.rpm / RH 7.2
1/1/2002
8.11.6.15.i386.rpm / RH 7.3
Red Hat Packages. No security bulletins issued.
8.12.5-7.i386.rpm / RH8
12/31/2002
연도별 취약점 발생 현황
All CVE’s : 1/1999-6/2001
140
50
126
Unix Products
120
Windows Products
100
30
80
30
25
60
40
Linux Only
Microsoft Only
40
35
85
45
45
51
36
20
15
28
20
16
14
15
10
8
6
5
0
0
1999
2000
2001
Windows와 Unix의 모든 취약점
1999
2000
2001
마이크로소프트와 Linux
Benefits of Microsoft’s Responsible Disclosure method

2002년에 보안 관련 문제로 인한 대처가 평균 2주 이내에 이루어 졌으며, 이는
Linux 제품군에 비해 최소 2주 이상 빠른 대응이다.
80
69
70
61
60
50
40
30
30
20
23
23
Debian
SuSe
14
10
0
Microsoft
FreeBSD
보안 패치 제공 평균 소요 시간
Mandrake
Red Hat