Bugtraq mailing list archives

Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?)

From: "David Litchfield" <davidl () ngssoftware com>
Date: Tue, 28 Nov 2006 17:00:34 -0000

Hi Steven,

For example, there appears to be distinct difference in editorial
policy between Oracle and Microsoft in terms of publishing
vulnerabilities that the vendors discovered themselves, instead of
third parties.  This might produce larger numbers for Oracle, which
appears to include internally discovered vulnerabilities in their
advisories, whereas this is not necessarily the case for Microsoft
[2], [3].

Oracle do not report issues they've found internally in their alerts. EveryDBn in their alerts marries up to "public" flaws.

 In both cases, the lack of details can mean that multiple
issues wind up with one public identifier; for example, Oracle Vuln#
DB01 from CPU Jul 2006 (CVE-2006-3698) might involve 10 different
issues, and this is not an isolated case.  This can further muddy the
waters.

...which is why I broke every actual flaw down in the document. For examplethe following flaws are all covered by CVE-2002-0154


xp_proxiedmetadata overflow CAN-2002-0154 MS02-020
xp_mergelineages overflow CAN-2002-0154 MS02-020
xp_controlqueueservice overflow CAN-2002-0154 MS02-020
xp_createprivatequeue overflow CAN-2002-0154 MS02-020
xp_createqueue overflow CAN-2002-0154 MS02-020
xp_decodequeuecmd overflow CAN-2002-0154 MS02-020
xp_deleteprivatequeue overflow CAN-2002-0154 MS02-020
xp_deletequeue overflow CAN-2002-0154 MS02-020
xp_displayqueuemesgs overflow CAN-2002-0154 MS02-020
xp_oledbinfo overflow CAN-2002-0154 MS02-020
xp_readpkfromqueue overflow CAN-2002-0154 MS02-020
xp_readpkfromvarbin overflow CAN-2002-0154 MS02-020
xp_repl_encrypt overflow CAN-2002-0154 MS02-020
xp_resetqueue overflow CAN-2002-0154 MS02-020
xp_unpackcab overflow CAN-2002-0154 MS02-020

If someone is willing to sit down and do the research the details are "outthere" and in a paper such as the comparison it was imperative to have thesedetails.

Cheers,
David Litchfield

Current thread:

Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?) stopmakingnoise (Nov 24)
- Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?) Steve Friedl (Nov 25)
  - Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?) Tim Newsham (Nov 27)
    - Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?) David Litchfield (Nov 27)
- <Possible follow-ups>
- Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?) Thor (Hammer of God) (Nov 25)
  - Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?) Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Nov 25)
- Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?) Thor (Hammer of God) (Nov 25)
- Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?) Steven M. Christey (Nov 28)
  - Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?) David Litchfield (Nov 28)
- Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?) David Litchfield (Nov 29)
- RE: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?) Shawn Fitzgerald (Nov 29)