A comparison of the vulnerabilities between Microsoft’s SQL Server database and Oracle’s relational database management products has suggested there are more vulnerability issues with Oracle’s products than Microsoft’s.
The survey, by David Litchfield’s Next Generation Security Software (NGSS), shows that between December 2000 and November 2006, external researchers discovered 233 vulnerabilities in Oracle’s products compared with 59 in SQL Server.
The study, which looked at vulnerabilities reported and fixed in SQL Server 7, 2000 and 2005 and Oracle’s database versions 8, 9 and 10g, tends to show that the reputation that MS SQL server had back in 2002 for relatively poor security is no longer deserved, according to Litchfield.
And he suggested that security researchers should now be focusing their attention on vendors other than Microsoft.
“We should be about closing holes and improving a vendor’s outlook on security and - largely - that battle has been won with Microsoft,” he said, adding that the results show that Microsoft’s software development lifecycle processes appear to be working. “There are other battles needing to be fought and won - Oracle being one of them,” he said.
In response, Oracle commented that the number of reported vulnerabilities in a product alone is not a measure of the overall security of that software.
The NGSS report comes at a time when security researchers, irked by what they consider to be Oracle’s slow pace of bug-fixing, are focusing more attention on its products. The company recently announced fixes for over 100 flaws as part of its scheduled quarterly security updates.
Litchfield is probably right here. Microsoft is more security aware – though still vulnerable because of the ubiquity of its products. Now, there are other fish to fry.