RE: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair compa

To:	bugtraq@securityfocus.com
Subject:	RE: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?)
From:	Shawn Fitzgerald <sargon97@gmail.com>
Date:	Tue, 28 Nov 2006 19:41:59 -0800
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	bugtraq-list@securepoint.com
Delivered-to:	mailing list bugtraq@securityfocus.com
Delivered-to:	moderator for bugtraq@securityfocus.com
Domainkey-signature:	a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:mime-version:content-transfer-encoding:message-id:content-type:to:from:subject:date:x-mailer; b=T64RlFvKWxqfgxFeaYyAFHpakKv4XhrISAt7zshm2Q6v4yWOHkGyPgygvMeuiAN2gkCnxwOkmbUs8k6dF2dk7N6bYFfq9wOwcEAYEIOYkyLocZ/PahYTeicL0bDJQ4cIUVLc4DoRjEt9RccJ7KygZBrZNJQAsj8JS/CKi4J72RI=
List-help:	<mailto:bugtraq-help@securityfocus.com>
List-id:	<bugtraq.list-id.securityfocus.com>
List-post:	<mailto:bugtraq@securityfocus.com>
List-subscribe:	<mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe:	<mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list:	contact bugtraq-help@securityfocus.com; run by ezmlm

Not that I disagree (or know for that matter) but at blogs.oracle.com/security/ they state that they, "Disclose the existence ofvulnerabilities once cured, even if they are discovered internally."

Maybe someone should leave a comment correcting them or better yetinvite them to discuss some of the issues brought up on this list.


Cheers, Shawn


-----Original Message-----

From: David Litchfield [

mailto:davidl@ngssoftware.com]
Sent: Tuesday, November 28, 2006 9:01 AM
To: Steven M. Christey; bugtraq@securityfocus.com

Subject: Re: Re: "Which is more secure? Oracle vs. Microsoft" (is ita fair comparison?)

Hi Steven,
> For example, there appears to be distinct difference in editorial
> policy between Oracle and Microsoft in terms of publishing
> vulnerabilities that the vendors discovered themselves, instead of
> third parties. This might produce larger numbers for Oracle, which
> appears to include internally discovered vulnerabilities in their
> advisories, whereas this is not necessarily the case for Microsoft
> [2], [3].

Oracle do not report issues they've found internally in their alerts.Every DBn in their alerts marries up to "public" flaws.

> In both cases, the lack of details can mean that multiple issues wind
> up with one public identifier; for example, Oracle Vuln#
> DB01 from CPU Jul 2006 (CVE-2006-3698) might involve 10 different
> issues, and this is not an isolated case. This can further muddy the
> waters.

...which is why I broke every actual flaw down in the document. Forexample the following flaws are all covered by CVE-2002-0154xp_proxiedmetadata overflow CAN-2002-0154 MS02-020 xp_mergelineagesoverflow CAN-2002-0154 MS02-020 xp_controlqueueservice overflowCAN-2002-0154 MS02-020 xp_createprivatequeue overflow CAN-2002-0154MS02-020 xp_createqueue overflow CAN-2002-0154 MS02-020xp_decodequeuecmd overflow CAN-2002-0154 MS02-020xp_deleteprivatequeue overflow CAN-2002-0154 MS02-020 xp_deletequeueoverflow CAN-2002-0154 MS02-020 xp_displayqueuemesgs overflowCAN-2002-0154 MS02-020 xp_oledbinfo overflow CAN-2002-0154 MS02-020xp_readpkfromqueue overflow CAN-2002-0154 MS02-020xp_readpkfromvarbin overflow CAN-2002-0154 MS02-020 xp_repl_encryptoverflow CAN-2002-0154 MS02-020 xp_resetqueue overflow CAN-2002-0154MS02-020 xp_unpackcab overflow CAN-2002-0154 MS02-020If someone is willing to sit down and do the research the details are"out there" and in a paper such as the comparison it was imperativeto have these details.

Cheers,
David Litchfield

<Prev in Thread]	Current Thread	[Next in Thread>
Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?), stopmakingnoise Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?), Steve Friedl Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?), Tim Newsham Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?), David Litchfield Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?), Thor (Hammer of God) Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?), Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?), Thor (Hammer of God) Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?), Steven M. Christey Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?), David Litchfield Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?), David Litchfield RE: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?), Shawn Fitzgerald <=

Previous by Date:	OWASP JBroFuzz 0.3 Fuzzer Released!, subere
Next by Date:	New Windows tool - PWDumpX v1.0, Reed Arvin
Previous by Thread:	Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?), David Litchfield
Next by Thread:	Siap Cms Sql Injection (login.asp), nagazakig74
Indexes:	[Date] [Thread] [Top] [All Lists]