CHICAGO -- No one would confuse Microsoft with Oracle. The two software juggernauts have carved out distinctly...
different markets. So it's not surprising that the companies have differing policies on releasing information about security vulnerabilities.
Microsoft tends to release more technical details about its vulnerabilities and put out patches faster. Oracle, on the other hand, is intentionally less specific with its advisories. The company also has to wait sometimes to prepare all the patches because its products run on a host of platforms.
"Oracle provides very minimal information," said veteran vulnerability finder David Litchfield of Next Generation Security. "Microsoft is more free with the information, which is the better approach, I believe."
Sometimes the language of Oracle's advisories downplay the seriousness of the vulnerabilities, Litchfield said. "Sometimes they don't directly say something is a problem," he said. "That takes the edge off of it, which may make some system administrators less likely to patch."
To be fair, it's hard to compare Oracle, which sells mostly business applications, with Microsoft, which sells to everyone from enterprises to little old ladies. Microsoft's Windows operating systems are ubiquitous and people have certain expectations.
"We do release a lot of information [in our alerts], but our customers demand it," said Scott Charney, Microsoft's chief security strategist last week at Information Security Magazine's Security Decisions conference. "People expect a lot of transparency from Microsoft."
Microsoft constantly wrestles with the proper level of information detail it releases about its flaws. For example, the company never releases exploit code, Charney said. "At end of the day, our philosophy is not to do security by obscurity," he said.
Oracle, on the other hand, tries to include just enough information in its advisories to let customers know if they have a particular vulnerability, said Mary Ann Davidson, Oracle chief security officer, at Security Decisions. The only complaints Davidson has heard about the technical level of Oracle advisories is from vulnerability researchers, not from Oracle customers.
Compared to Microsoft, Oracle releases less technical information about vulnerabilities. It is a topic often discussed at Oracle. CEO Larry Ellison has even taken part in discussions about it. "We don't want to draw hackers a roadmap for attacking our systems," Davidson said.
The aim of Oracle's security advisories is to let companies know if the applications they are running are susceptible to the vulnerabilities. If a workaround is available, that information will be released, though it does let bad guys know a little more about the flaw, Davidson said.
Oracle is also careful about announcing whether exploit code is available. On one hand, the company wants to let customers know there is a threat out there. On the other, they don't want to let the wrong people know about the code. To get around this issue, Oracle has included such information in its customer alerts but omitted it in the public version.
"I also don't want to train our customers that they only need to worry about vulnerabilities if exploit scripts are available," Davidson said, noting certain classes of flaws, such as ones involving open passwords, don't require exploit code.
The nature of Oracle's business also affects how it deals with security vulnerabilities. The company's applications and databases run on more than a dozen operating systems, so patching a flaw can be a complex process. For example, the company had to create 78 patches for one vulnerability at a cost of $1 million because of all the combinations. "When we announce a vulnerability, we want patches for all affected versions so to treat all our customers the same," Davidson said.
In some ways, the information included in an alert is secondary because patches can be reverse-engineered. "All someone would need to do is look at the patch to see where the bug lies," Litchfield said.
Litchfield admits that not everyone cares about the specific, geekie details of a vulnerability. It's better that the information is there so people who want it have it. "If you don't want it, then you don't have to read it," he said.
He likens advisory information to taking your car in to get serviced. Getting an advisory with few technical details is like picking your car up and the mechanic saying only, "Oh, we fixed it," but without saying specifically what they did to your car. "By telling you what they did provides a level of transparency and a level of comfort," he said.