Bugtraq mailing list archives

Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?)

From: "David Litchfield" <davidl () ngssoftware com>
Date: Wed, 29 Nov 2006 08:22:09 -0000

Hi Shawn,

Oracle do not report issues they've found internally in their alerts.Every
DBn in their alerts marries up to "public" flaws.

Not that I disagree (or know for that matter) but at

blogs.oracle.com/security/ they state that they, "Disclose the existenceof

vulnerabilities once cured, even if they are discovered internally."

Maybe someone should leave a comment correcting them or better yet invite
them to discuss some of the issues brought up on this list.

Ah, the wonders of Oracle Spin Blog. When Oracle issue an alert they credita number of external security researchers. Some of these researchers don'tpost their own advisories for the flaws that they've reported but others do.When you marry up the advisories of those that do to the vulnerabilitieslisted in the Risk Matrix in the Oracle alert you're left with only a few"unexplained" entries. So either these were found internally by Oracle orthey were found by the researchers that don't publish advisories. Now, whenMary Ann Davidson, the Oracle CSO, has gone on record as saying that theyfind more than 75% of significant issues internally (bottom of section 3here -http://news.com.com/When+security+researchers+become+the+problem/2010-1071_3-5807074.html)wer'e left in a situation where the numbers just don't stack up. Either theydon't publish internal finds (which leaves Mary's statement intact) or theydo publish internal finds which destroys Mary's statement. There is ofcourse the possibility that external researchers are reporting issues thathave already been found internally - which would leave both statementsintact. However, when I report a new issue to Oracle they way in which theyrespond indicates whether you've found a new issue or a duplicate. It's notvery often you get a duplicate so we're still left with the contradiction.Either way this contradiction means that someone at Oracle is lying. Theproblem with spin is that it leaves you dizzy and you might just end up onyour butt.


Cheers,
David

Current thread:

Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?) stopmakingnoise (Nov 24)
- Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?) Steve Friedl (Nov 25)
  - Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?) Tim Newsham (Nov 27)
    - Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?) David Litchfield (Nov 27)
- <Possible follow-ups>
- Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?) Thor (Hammer of God) (Nov 25)
  - Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?) Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Nov 25)
- Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?) Thor (Hammer of God) (Nov 25)
- Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?) Steven M. Christey (Nov 28)
  - Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?) David Litchfield (Nov 28)
- Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?) David Litchfield (Nov 29)
- RE: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?) Shawn Fitzgerald (Nov 29)