[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?)
From:       "David Litchfield" <davidl () ngssoftware ! com>
Date:       2006-11-29 8:22:09
Message-ID: 041501c7138f$775ad100$4001a8c0 () ngssoftware ! com
[Download RAW message or body]

Hi Shawn,
>> Oracle do not report issues they've found internally in their alerts. 
>> Every
>> DBn in their alerts marries up to "public" flaws.

> Not that I disagree (or know for that matter) but at
> blogs.oracle.com/security/ they state that they, "Disclose the existence 
> of
> vulnerabilities once cured, even if they are discovered internally."
>
> Maybe someone should leave a comment correcting them or better yet invite
> them to discuss some of the issues brought up on this list.

Ah, the wonders of Oracle Spin Blog. When Oracle issue an alert they credit 
a number of external security researchers. Some of these researchers don't 
post their own advisories for the flaws that they've reported but others do. 
When you marry up the advisories of those that do to the vulnerabilities 
listed in the Risk Matrix in the Oracle alert you're left with only a few 
"unexplained" entries. So either these were found internally by Oracle or 
they were found by the researchers that don't publish advisories. Now, when 
Mary Ann Davidson, the Oracle CSO, has gone on record as saying that they 
find more than 75% of significant issues internally (bottom of section 3 
here - 
http://news.com.com/When+security+researchers+become+the+problem/2010-1071_3-5807074.html) 
wer'e left in a situation where the numbers just don't stack up. Either they 
don't publish internal finds (which leaves Mary's statement intact) or they 
do publish internal finds which destroys Mary's statement. There is of 
course the possibility that external researchers are reporting issues that 
have already been found internally - which would leave both statements 
intact. However, when I report a new issue to Oracle they way in which they 
respond indicates whether you've found a new issue or a duplicate. It's not 
very often you get a duplicate so we're still left with the contradiction. 
Either way this contradiction means that someone at Oracle is lying. The 
problem with spin is that it leaves you dizzy and you might just end up on 
your butt.

Cheers,
David

[prev in list] [next in list] [prev in thread] [next in thread]