A comparison of the vulnerabilities between Microsoft’s
SQL Server database and Oracle’s relational database management
products has suggested there are more vulnerability issues with
Oracle’s products than Microsoft’s.
The survey, by David Litchfield’s Next Generation Security
Software (NGSS), shows that between December 2000 and November
2006, external researchers discovered 233 vulnerabilities in
Oracle’s products compared with 59 in SQL Server.
The study, which looked at vulnerabilities reported and fixed in
SQL Server 7, 2000 and 2005 and Oracle’s database versions 8, 9 and
10g, tends to show that the reputation that MS SQL server had back
in 2002 for relatively poor security is no longer deserved,
according to Litchfield.
And he suggested that security researchers should now be
focusing their attention on vendors other than Microsoft.
“We should be about closing holes and improving a vendor’s
outlook on security and - largely - that battle has been won with
Microsoft,” he said, adding that the results show that Microsoft’s
software development lifecycle processes appear to be working.
“There are other battles needing to be fought and won - Oracle
being one of them,” he said.
In response, Oracle commented that the number of reported
vulnerabilities in a product alone is not a measure of the overall
security of that software.
The NGSS report comes at a time when security researchers, irked
by what they consider to be Oracle’s slow pace of bug-fixing, are
focusing more attention on its products. The company recently
announced fixes for over 100 flaws as part of its scheduled
quarterly security updates.
Litchfield is probably right here. Microsoft is more security
aware – though still vulnerable because of the ubiquity of its
products. Now, there are other fish to fry.