David Litchfield is a well-known critic of Oracle Corp.'s patching process. So it should come as no surprise that he ranks the database giant's security proficiency well behind that
Litchfield, managing director at UK-based Next Generation Security (NGS) Software, examined differences between the security of Microsoft's SQL Server and Oracle's relational database management system (RDBMS); based on flaws reported by external security researchers and ultimately fixed by the vendor in question in the last six years. In that period, he said, Microsoft patched 59 flaws in its SQL Server 7, 2000 and 2005 databases while Oracle patched 233 security holes in its Oracle 8, 9 and 10g databases.
"It is immediately apparent … that Microsoft SQL Server has a stronger security posture than the Oracle RDBMS," he wrote. In addition to the flaws outlined in the report, he said NGS is now waiting for Oracle to fix 49 security flaws it has reported.
The flaw count for SQL Server has been very low since 2002, Litchfield said, because Microsoft uses a security development lifecycle (SDL) where, as he put it, "knowledge learnt after finding and fixing screw ups is not lost. Instead, it is ploughed back into the cycle." From what he can tell, Oracle doesn't have a SDL of its own, since it is "making the same basic mistakes" and some of its fixes "indicate that they don't understand the problems they're trying to fix."
He said the conclusion is clear: "If security robustness and a high degree of assurance are concerns when looking to purchase database server software, given these results one should not be looking at Oracle as a serious contender."
For Oracle, criticism over its patching process is nothing new. The company's Critical Patch Updates (CPU) are usually followed by third-party warnings about flaws that either weren't addressed or weren't fixed properly. Litchfield has often led the charge.
In an interview with SearchSecurity.com in June, John Heimann, Oracle's director of security program management, and Darius Wiles, senior manager of security alerts, acknowledged that its patching process can be difficult to follow. They acknowledged that a vast array of platforms and mountains of source code can make for some patching mistakes and slow fixes.
In October, Oracle unveiled a new, easier-to-digest bulletin, providing summaries to vulnerabilities addressed in the CPU, adopting a vulnerability scoring system and identifying critical flaws that may be remotely exploitable without requiring authentication to a targeted system. The response from DBAs has been mixed.
Microsoft has also taken its share of criticism in recent years. But the software giant has moved aggressively to bake security into its products, most notably in Windows Vista.
As Litchfield took swipes at Oracle security during the Black Hat USA 2006 conference in Las Vegas last August, Microsoft representatives were down the hall touting Vista security and inviting the hacking community to pick it apart for potential security holes.