1. 보안 취약점 비교 Linux vs. Windows
기술 사업부 (주)한국마이크로소프트

2. MITRE Security Vulnerabilities in 2002
연구 결과에 따르면 380개 이상의 CAN/CVE 항목이 2002년 벤더 목록에 추가되었음.
전체 CAN 항목중 2/3이상이 OSS(Open Source Software)에 영향을 줌
CAN: Candidate for CVE status
CVE: Common Vulnerabilities and Exposures
총발견 갯수 : 386개

3. SQL Server 2000 vs. Oracle 9iAS
Don’t have all the minor release dates for Oracle 9iAS. They don’t seem to be posted.

4. IIS 5 vs. Apache 패치가 아닌 버전 업그레이드가 많다는 의미는 관리자들의 시스템 유지 보수에 부담을 주는 영역이다

5. IIS 5 vs. Apache

6. Exchange 2000 vs. Sendmail
Key Point: Customers running Microsoft Exchange 2000 over its lifecycle experienced less TCO than those who ran sendmail due to less severe security issues and fewer upgrades to keep the product current.
Message:
In this first slide, I’ve documented the security issues with Microsoft Exchange 2000 from its release date with the Sendmail equivalent. There were six CAN entries during this period, and in late 2002, there was one instance of where the security of the sendmail download site and its mirror sites was compromised and the originals replaced with trojaned copies of sendmail. For nine days, the FTP site and its mirrors distributed the trojaned copies to its customers. Ironically sendmail was not immune this type of attack. Two other instances of trojaned sources also occurred during 2002.
What’s especially important on this slide is to see that sendmail also had 14 minor version upgrades during this time period compared to 3 for Microsoft Exchange. Upgrades are very frequent, with versions only lasting for a few weeks or months. Skipping released could put a customer a risk for security issues. Sendmail usually includes their security fixes in the next version rather than patch software, so keeping up to date with this application is critical to maintaining security. I’ll address sendmail security in a little more detail later. Let’s move on to the next comparison.
Background:
Due to vendor inconsistency in publishing security bulletins, the CAN/CVE entries here will not match up with the CAN/CVE spreadsheet I created. Many vendors decided to simply update their sendmail packages rather than send a bulletin. You’ll see evidence of that in a later slide.
References:
CERT® Advisory CA Trojan Horse Sendmail Distribution
CERT® Advisory CA Trojan Horse tcpdump and libpcap Distributions
CERT® Advisory CA Trojan Horse OpenSSH Distribution

7. ISA Server 2000 vs. Squid
Key points: ISA Server 2000 over its entire life cycle has been more secure than the Squid, its nearest open source comparable.
Message:
In this chart, its very easy to see that since its release, Internet Security and Acceleration Server 2000 (ISA Server 2000) has historically been more secure than Squid, and has had fewer software updates. This is even more dramatic when you consider that ISA Server 2000 is often exposed directly to the internet, whereas Squid is often hidden behind another firewall.

8. Linux Distributions Lag Behind OSS
{Warning!! 1 Build in this slide!!}
Key Points: Linux distributions, such as RedHat do not update their packages in the same time frame as OSS vendors do. This lag time leaves RedHat customers at risk.
Message:
In this slide we break down the release history of Sendmail during the calendar year Sendmail customers who relied on Redhat to keep their sendmail package up to date were vulnerable to a number of issues during There were a total of six issues reported by sendmail in Two received CAN assignments from MITRE. The trojaned distribution mentioned earlier and indicated here on the timeline by the red band, earned a warning to the general public from CERT, the Computer Emergency Response Team from Carnegie Mellon.
Note the

9. All CVE’s : 1/1999-6/2001 연도별 취약점 발생 현황 Windows와 Unix의 모든 취약점
마이크로소프트와 Linux

10. Benefits of Microsoft’s Responsible Disclosure method
2002년에 보안 관련 문제로 인한 대처가 평균 2주 이내에 이루어 졌으며, 이는 Linux 제품군에 비해 최소 2주 이상 빠른 대응이다.
보안 패치 제공 평균 소요 시간