Professional Documents
Culture Documents
A general comparison is made covering Oracle 8, 9 and 10 against SQL Server 7, 2000
and 2005. The vendors’ flagship database servers are then compared.
The Comparison
Oracle Microsoft
[See below for larger graphs]
The two graphs above show the number of security flaws in the Oracle and Microsoft
database servers that have been discovered and fixed since December 2000 until
November 2006. Each block represents a single issue with the sole exception of the
single block in Q2 2005 of the Microsoft graph. This represents Service Pack 4 and
whilst there are no related security bulletins or bugs listed on bugtraq the author felt it
worthy of inclusion.
Oracle 10g Release 2 Microsoft SQL Server 2005
These two graphs indicate flaws that have been discovered by external security
researchers in both vendors’ flagship database products – namely Oracle 10g Release 2
and SQL Server 2005. No security flaws have been announced for SQL Server 2005.
It is immediately apparent from these four graphs that Microsoft SQL Server has a
stronger security posture than the Oracle RDBMS.
Do the SQL Server 2005 results have no flaws because no-one is looking at it?
No – I know of a number of good researchers are looking at it – SQL Server code is just
more secure than Oracle code.
Do you have any predictions on the Oracle January 2007 Critical Patch Update?
Maybe – NGSSoftware are currently waiting for Oracle to fix 49 security flaws – these
will be fixed sometime in 2007 and 2008.
Why have there been so little bugs found in SQL Server since 2002?
Three words: Security Development Lifecycle – SDL. SDL is far and above the most
important factor. A key benefit of employing SDL means that knowledge learnt after
finding and fixing screw ups is not lost; instead it is ploughed back into to the cycle. This
means rather than remaking the same mistakes elsewhere you can guarantee that new
code, whilst not necessarily completely secure, is at least more secure than the old code.
Does Oracle have an equivalent of SDL?
Looking at the results, I don’t think so. Added to this that Oracle keep making the same
basic mistakes and that some of their security “fixes” indicate that they don’t understand
the problems they’re trying to fix. See http://seclists.org/bugtraq/2005/Oct/0056.html for
more information.
Oracle
Security issues and fixes in Oracle 8, 9 and 10 since December 2000 to November 2006.
Only security issues found in the TNS Listener and the RDBMS itself have been included
in the following graph. This means issues found in components such as the Intelligent
Agent or the Oracle Application Server have not been included.
Conclusions
Despite what the numbers clearly show these results will be contested by many; it is
hoped that, since the author is responsible for finding many of these issues and thus
speaks with some authority on such matters, there won’t be too many though.
The conclusion is clear – if security robustness and a high degree of assurance are
concerns when looking to purchase database server software – given these results one
should not be looking at Oracle as a serious contender.
MS02-040
MS02-065
MS03-033
MS04-003
MS06-014
One of the issues discussed in MS02-056 is a buffer overflow in the FoxPro ODBC
driver and so is not included – see http://www.scan-associates.net/papers/foxpro.txt