보안 취약점 비교 linux vs windowseconomicslab.tistory.com/attachment/cfile2… · ppt...
TRANSCRIPT
보안 취약점 비교Linux vs. Windows
기술 사업부( 주 ) 한국마이크로소프트
MITRE Security Vulnerabilities in 2002
연구 결과에 따르면 380 개 이상의 CAN/CVE 항목이 2002 년 벤더 목록에 추가되었음 .
전체 CAN 항목중 2/3 이상이 OSS(Open Source Software) 에 영향을 줌
CAN: Candidate for CVE statusCVE: Common Vulnerabilities and Exposures
총발견 갯수 : 386 개http://www.cve.mitre.org/cve
OSS65%
MS35%
SQL Server 2000 vs. Oracle 9iAS
8/31/2000 12/31/2002
SP0 SP1 SP2
10/1
6/20
02M
S02
-061
10/2
/200
2M
S02
-056
8/14
/200
2M
S02
-043
7/31
/200
2M
S02
-040
7/24
/200
2M
S02
-039
MS
02-0
38
7/10
/200
2M
S02
-035
MS
02-0
34
6/12
/200
2M
S02
-030
4/17
/200
2M
S02
-020
2/20
/200
2M
S02
-007
12/2
0/20
01M
S01
-060
7/26
/200
1M
S01
-041
6/12
/200
1M
S01
-032
12/1
/200
0M
S00
-092
SQL Server 2000 : 15 security patches, 2 minor versionupgrades
6/15/2001 12/31/2002
11/4
/200
2C
AN
-200
2-12
64
10/9
/200
2C
AN
-200
2-11
18
7/17
/200
2C
AN
-200
2-10
89
6/12
/200
2C
AN
-200
2-09
65C
AN
-200
2-09
47
8/12
/200
2C
AN
-200
2-08
58
4/16
/200
2C
AN
-200
2-05
71
2/6/
2002
CA
N-2
002-
0569
CA
N-2
002-
0568
CA
N-2
002-
0567
CA
N-2
002-
0566
CA
N-2
002-
0565
CA
N-2
002-
0564
CA
N-2
002-
0563
CA
N-2
002-
0562
CA
N-2
002-
0561
CA
N-2
002-
0560
CA
N-2
002-
0559
3/28
/200
2C
AN
-200
2-05
09
10/2
8/20
02C
AN
-200
2-03
86
1/7/
2002
CA
N-2
002-
0103
12/2
8/20
01C
AN
-200
2-01
02
9/17
/200
1C
AN
-200
1-13
72
2/6/
2002
CA
N-2
001-
1371
Oracle 9iAS - Enterprise Edition- 32 Security Issues
7/16
/200
1C
AN
-200
1-13
21
12/2
1/20
01C
AN
-200
1-12
16
7/16
/200
1C
AN
-200
1-09
757/
16/2
001
CA
N-2
001-
0974
11/3
0/20
01C
AN
-200
1-09
41
10/2
3/20
01C
AN
-200
1-08
32C
AN
-200
1-08
31
8/2/
2001
CV
E-2
001-
0833
http://otn.oracle.com/deploy/security/alerts.htm
6/15
/200
1C
AN
-200
1-05
16
2002
8/13
/200
2C
AN
-200
2-08
568/
14/2
002
CA
N-2
002-
0857
8/2/
2001
CA
N-2
001-
1041
IIS 5 vs. Apache
패치가 아닌 버전 업그레이드가 많다는 의미는 관리자들의 시스템 유지 보수에 부담을 주는 영역이다
Apache : 보안 문제로 인한 15 회 버전 업그레이드IIS : 보안 문제로 26 회 패치 , 4 회 버전 업그레이드
IIS 5 vs. Apache
Exchange 2000 vs. Sendmail
8/31/2000 12/31/2002
SP2SP1 SP3SP0
11/1
6/20
00C
VE
-200
0-11
39
3/1/
2001
CA
N-2
001-
0146
CA
N-2
001-
0337
6/6/
2001
CV
E-2
001-
0340
7/26
/200
1C
AN
-200
1-05
09
9/26
/200
1C
VE
-200
1-06
66
2/7/
2002
CA
N-2
002-
0049
5/29
/200
2C
AN
-200
2-03
68
Exchange 2000: 8 security issues, 3 minorversion upgrades
8/31/2000 12/31/2002
8.12.68.12.58.12.3
http://www.sendmail.org/ftp/RELEASE_NOTES
8.12.28.12.18.12.08.11.0 8.11.1 8.11.2 8.11.3 8.11.4 5 6
9/27
/200
2C
AN
-200
2-11
65-s
mrs
h
8/16
/200
2C
AN
-200
2-09
06-
buff
over
flow
9/25
/200
1C
AN
-200
1-07
13C
AN
-200
1-07
14C
AN
-200
1-07
15
10/8
/200
2C
ER
T C
A-2
002-
28 T
roja
n D
ist
Sendmail 8.11.x-8.12.x: 6 security issues, 14 minorversion upgrades, 1 trojan horse found
http://www.cert.org/advisories/index.html
2002
5/28
/200
1C
AN
-200
1-13
49
ISA Server 2000 vs. Squid
12/18/2000 12/31/2002ISA Server 2000 : 5 Security issues,1 minor version upgrade
12/18/2000 12/31/2002Squid : 12 security issues,12 minor version upgrades
SP1
6/11
/200
2C
AN
-200
2-03
71
2.3.S4 2.4.S1 2.5.S1
http://www.squid-cache.org/Versions/v2/
2002
2.4.S2 2.4.S3 2.4.S4 2.4.S6 2.4.S7
9/21
/200
1C
VE
-200
1-08
43
7/18
/200
1C
VE
-200
1-10
30
1/12
/200
1C
VE
-200
1-01
42
SP0
4/16
/200
1C
VE
-200
1-02
39
8/16
/200
1C
VE
-200
1-05
46C
VE
-200
1-05
47C
VE
-200
1-06
58
6/4/
2002
CA
N-2
002-
0916
5/6/
2002
CA
N-2
002-
0735
7/15
/200
2C
AN
-200
2-07
13C
AN
-200
2-07
14C
AN
-200
2-07
15
3/26
/200
2C
AN
-200
2-01
63
2/21
/200
2C
AN
-200
2-00
67C
AN
-200
2-00
68C
AN
-200
2-00
69
Linux Distributions Lag Behind OSS
1/1/2002 12/31/2002
8.12.68.12.58.12.48.12.3
Sendmail 8.11.x-8.12.x. Five security-related issues cited.
1/1/2002 12/31/2002
8.12.1 8.12.2
8.11.6-3.i386.rpm / RH 7.2 8.11.6.15.i386.rpm / RH 7.3 8.12.5-7.i386.rpm / RH8
Red Hat Packages. No security bulletins issued.
12/3/2002Check relay
dropping group privs - bogus data(from 10/1/01)
6/3/2002unix file locking DoS
6/25/2002DNS map BO
CAN-2002-0906
10/1/2002SMRSH
CAN-2002-1165
67 days between annoucement and updated package
연도별 취약점 발생 현황All CVE’s : 1/1999-6/2001
Windows 와 Unix 의 모든 취약점 마이크로소프트와 Linux
126
85
2836
51
80
20
40
60
80
100
120
140
1999 2000 2001
Unix ProductsWindows Products
30
45
1516 14
6
05
101520253035404550
1999 2000 2001
Linux OnlyMicrosoft Only
Benefits of Microsoft’s Responsible Disclosure method
2002 년에 보안 관련 문제로 인한 대처가 평균 2 주 이내에 이루어 졌으며 , 이는 Linux 제품군에 비해 최소 2 주 이상 빠른 대응이다 .
보안 패치 제공 평균 소요 시간
14
23 2330
6169
0
10
20
30
40
50
60
70
80
Microsoft Debian SuSe FreeBSD Mandrake Red Hat