RE: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: RE: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?)
From: Shawn Fitzgerald <sargon97@xxxxxxxxx>
Date: Tue, 28 Nov 2006 19:41:59 -0800
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:mime-version:content-transfer-encoding:message-id:content-type:to:from:subject:date:x-mailer; b=T64RlFvKWxqfgxFeaYyAFHpakKv4XhrISAt7zshm2Q6v4yWOHkGyPgygvMeuiAN2gkCnxwOkmbUs8k6dF2dk7N6bYFfq9wOwcEAYEIOYkyLocZ/PahYTeicL0bDJQ4cIUVLc4DoRjEt9RccJ7KygZBrZNJQAsj8JS/CKi4J72RI=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Not that I disagree (or know for that matter) but at blogs.oracle.com/security/ they state that they, "Disclose the existence ofvulnerabilities once cured, even if they are discovered internally."

Maybe someone should leave a comment correcting them or better yetinvite them to discuss some of the issues brought up on this list.


Cheers, Shawn


-----Original Message-----

From: David Litchfield [

mailto:davidl@xxxxxxxxxxxxxxx]
Sent: Tuesday, November 28, 2006 9:01 AM
To: Steven M. Christey; bugtraq@xxxxxxxxxxxxxxxxx

Subject: Re: Re: "Which is more secure? Oracle vs. Microsoft" (is ita fair comparison?)

Hi Steven,
> For example, there appears to be distinct difference in editorial
> policy between Oracle and Microsoft in terms of publishing
> vulnerabilities that the vendors discovered themselves, instead of
> third parties. This might produce larger numbers for Oracle, which
> appears to include internally discovered vulnerabilities in their
> advisories, whereas this is not necessarily the case for Microsoft
> [2], [3].

Oracle do not report issues they've found internally in their alerts.Every DBn in their alerts marries up to "public" flaws.

> In both cases, the lack of details can mean that multiple issues wind
> up with one public identifier; for example, Oracle Vuln#
> DB01 from CPU Jul 2006 (CVE-2006-3698) might involve 10 different
> issues, and this is not an isolated case. This can further muddy the
> waters.

...which is why I broke every actual flaw down in the document. Forexample the following flaws are all covered by CVE-2002-0154xp_proxiedmetadata overflow CAN-2002-0154 MS02-020 xp_mergelineagesoverflow CAN-2002-0154 MS02-020 xp_controlqueueservice overflowCAN-2002-0154 MS02-020 xp_createprivatequeue overflow CAN-2002-0154MS02-020 xp_createqueue overflow CAN-2002-0154 MS02-020xp_decodequeuecmd overflow CAN-2002-0154 MS02-020xp_deleteprivatequeue overflow CAN-2002-0154 MS02-020 xp_deletequeueoverflow CAN-2002-0154 MS02-020 xp_displayqueuemesgs overflowCAN-2002-0154 MS02-020 xp_oledbinfo overflow CAN-2002-0154 MS02-020xp_readpkfromqueue overflow CAN-2002-0154 MS02-020xp_readpkfromvarbin overflow CAN-2002-0154 MS02-020 xp_repl_encryptoverflow CAN-2002-0154 MS02-020 xp_resetqueue overflow CAN-2002-0154MS02-020 xp_unpackcab overflow CAN-2002-0154 MS02-020If someone is willing to sit down and do the research the details are"out there" and in a paper such as the comparison it was imperativeto have these details.

Cheers,
David Litchfield

Prev by Date: OWASP JBroFuzz 0.3 Fuzzer Released!
Next by Date: New Windows tool - PWDumpX v1.0
Previous by thread: Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?)
Next by thread: Siap Cms Sql Injection (login.asp)
Index(es):
- Date
- Thread