보안 취약점 비교 linux vs windowseconomicslab.tistory.com/attachment/cfile2… · ppt...

보안 취약점 비교Linux vs. Windows

기술 사업부( 주 ) 한국마이크로소프트

MITRE Security Vulnerabilities in 2002

연구 결과에 따르면 380 개 이상의 CAN/CVE 항목이 2002 년 벤더 목록에 추가되었음 .

전체 CAN 항목중 2/3 이상이 OSS(Open Source Software) 에 영향을 줌

CAN: Candidate for CVE statusCVE: Common Vulnerabilities and Exposures

총발견 갯수 : 386 개http://www.cve.mitre.org/cve

OSS65%

MS35%

SQL Server 2000 vs. Oracle 9iAS

8/31/2000 12/31/2002

SP0 SP1 SP2

10/1

6/20

02M

S02

-061

10/2

/200

2M

S02

-056

8/14

/200

2M

S02

-043

7/31

/200

2M

S02

-040

7/24

/200

2M

S02

-039

MS

02-0

38

7/10

/200

2M

S02

-035

MS

02-0

34

6/12

/200

2M

S02

-030

4/17

/200

2M

S02

-020

2/20

/200

2M

S02

-007

12/2

0/20

01M

S01

-060

7/26

/200

1M

S01

-041

6/12

/200

1M

S01

-032

12/1

/200

0M

S00

-092

SQL Server 2000 : 15 security patches, 2 minor versionupgrades

6/15/2001 12/31/2002

11/4

/200

2C

AN

-200

2-12

64

10/9

/200

2C

AN

-200

2-11

18

7/17

/200

2C

AN

-200

2-10

89

6/12

/200

2C

AN

-200

2-09

65C

AN

-200

2-09

47

8/12

/200

2C

AN

-200

2-08

58

4/16

/200

2C

AN

-200

2-05

71

2/6/

2002

CA

N-2

002-

0569

CA

N-2

002-

0568

CA

N-2

002-

0567

CA

N-2

002-

0566

CA

N-2

002-

0565

CA

N-2

002-

0564

CA

N-2

002-

0563

CA

N-2

002-

0562

CA

N-2

002-

0561

CA

N-2

002-

0560

CA

N-2

002-

0559

3/28

/200

2C

AN

-200

2-05

09

10/2

8/20

02C

AN

-200

2-03

86

1/7/

2002

CA

N-2

002-

0103

12/2

8/20

01C

AN

-200

2-01

02

9/17

/200

1C

AN

-200

1-13

72

2/6/

2002

CA

N-2

001-

1371

Oracle 9iAS - Enterprise Edition- 32 Security Issues

7/16

/200

1C

AN

-200

1-13

21

12/2

1/20

01C

AN

-200

1-12

16

7/16

/200

1C

AN

-200

1-09

757/

16/2

001

CA

N-2

001-

0974

11/3

0/20

01C

AN

-200

1-09

41

10/2

3/20

01C

AN

-200

1-08

32C

AN

-200

1-08

31

8/2/

2001

CV

E-2

001-

0833

http://otn.oracle.com/deploy/security/alerts.htm

6/15

/200

1C

AN

-200

1-05

16

2002

8/13

/200

2C

AN

-200

2-08

568/

14/2

002

CA

N-2

002-

0857

8/2/

2001

CA

N-2

001-

1041

IIS 5 vs. Apache

패치가 아닌 버전 업그레이드가 많다는 의미는 관리자들의 시스템 유지 보수에 부담을 주는 영역이다

Apache : 보안 문제로 인한 15 회 버전 업그레이드IIS : 보안 문제로 26 회 패치 , 4 회 버전 업그레이드

IIS 5 vs. Apache

Exchange 2000 vs. Sendmail

8/31/2000 12/31/2002

SP2SP1 SP3SP0

11/1

6/20

00C

VE

-200

0-11

39

3/1/

2001

CA

N-2

001-

0146

CA

N-2

001-

0337

6/6/

2001

CV

E-2

001-

0340

7/26

/200

1C

AN

-200

1-05

09

9/26

/200

1C

VE

-200

1-06

66

2/7/

2002

CA

N-2

002-

0049

5/29

/200

2C

AN

-200

2-03

68

Exchange 2000: 8 security issues, 3 minorversion upgrades

8/31/2000 12/31/2002

8.12.68.12.58.12.3

http://www.sendmail.org/ftp/RELEASE_NOTES

8.12.28.12.18.12.08.11.0 8.11.1 8.11.2 8.11.3 8.11.4 5 6

9/27

/200

2C

AN

-200

2-11

65-s

mrs

h

8/16

/200

2C

AN

-200

2-09

06-

buff

over

flow

9/25

/200

1C

AN

-200

1-07

13C

AN

-200

1-07

14C

AN

-200

1-07

15

10/8

/200

2C

ER

T C

A-2

002-

28 T

roja

n D

ist

Sendmail 8.11.x-8.12.x: 6 security issues, 14 minorversion upgrades, 1 trojan horse found

http://www.cert.org/advisories/index.html

2002

5/28

/200

1C

AN

-200

1-13

49

ISA Server 2000 vs. Squid

12/18/2000 12/31/2002ISA Server 2000 : 5 Security issues,1 minor version upgrade

12/18/2000 12/31/2002Squid : 12 security issues,12 minor version upgrades

SP1

6/11

/200

2C

AN

-200

2-03

71

2.3.S4 2.4.S1 2.5.S1

http://www.squid-cache.org/Versions/v2/

2002

2.4.S2 2.4.S3 2.4.S4 2.4.S6 2.4.S7

9/21

/200

1C

VE

-200

1-08

43

7/18

/200

1C

VE

-200

1-10

30

1/12

/200

1C

VE

-200

1-01

42

SP0

4/16

/200

1C

VE

-200

1-02

39

8/16

/200

1C

VE

-200

1-05

46C

VE

-200

1-05

47C

VE

-200

1-06

58

6/4/

2002

CA

N-2

002-

0916

5/6/

2002

CA

N-2

002-

0735

7/15

/200

2C

AN

-200

2-07

13C

AN

-200

2-07

14C

AN

-200

2-07

15

3/26

/200

2C

AN

-200

2-01

63

2/21

/200

2C

AN

-200

2-00

67C

AN

-200

2-00

68C

AN

-200

2-00

69

Linux Distributions Lag Behind OSS

1/1/2002 12/31/2002

8.12.68.12.58.12.48.12.3

Sendmail 8.11.x-8.12.x. Five security-related issues cited.

1/1/2002 12/31/2002

8.12.1 8.12.2

8.11.6-3.i386.rpm / RH 7.2 8.11.6.15.i386.rpm / RH 7.3 8.12.5-7.i386.rpm / RH8

Red Hat Packages. No security bulletins issued.

12/3/2002Check relay

dropping group privs - bogus data(from 10/1/01)

6/3/2002unix file locking DoS

6/25/2002DNS map BO

CAN-2002-0906

10/1/2002SMRSH

CAN-2002-1165

67 days between annoucement and updated package

연도별 취약점 발생 현황All CVE’s : 1/1999-6/2001

Windows 와 Unix 의 모든 취약점 마이크로소프트와 Linux

126

85

2836

51

80

20

40

60

80

100

120

140

1999 2000 2001

Unix ProductsWindows Products

30

45

1516 14

6

05

101520253035404550

1999 2000 2001

Linux OnlyMicrosoft Only

Benefits of Microsoft’s Responsible Disclosure method

2002 년에 보안 관련 문제로 인한 대처가 평균 2 주 이내에 이루어 졌으며 , 이는 Linux 제품군에 비해 최소 2 주 이상 빠른 대응이다 .

보안 패치 제공 평균 소요 시간

14

23 2330

6169

0

10

20

30

40

50

60

70

80

Microsoft Debian SuSe FreeBSD Mandrake Red Hat

보안 취약점 비교 linux vs windowseconomicslab.tistory.com/attachment/cfile2… · ppt...

Documents