Re: Which is more secure? Oracle vs. Microsoft

["David Litchfield" <davidl () ngssoftware com>]

> But you are comparing apples and oranges. Oracle is a much more complex
> product and has a lot more features than SQL Server. It's a little bit 
> like
> comparing an Airbus with a Cesna. Both are airplanes...

I disagree. The amount of attack surface has everything thing to do with 
security robustness.

> Oracle 10g Rel. 2 for example has 17,261 PL/SQL- functions and procedures
> (select count(*) from all_procedures, default installation with samples).

Exactly my point. Oracle should install with as few components as possible - 
it should be secure out of the box - and it is not.

> The following bugs are Oracle application server bugs (Oracle Portal 
> 9.0.2)
> and  not RDBMS bugs. Oracle looks a little bit better now (- 6 security 
> bugs)...
>
> wwv_form.genpopuplist SQL Inj., Alert 61, CVE-2003-1193
> wwv_ui_lovf.show SQL Inj., Alert 61, CVE-2003-1193
> ORG_CHART.SHOW SQL Inj., Alert 61, CVE-2003-1193
> wwa_app_module.link SQL Inj., Alert 61, CVE-2003-1193
> wwv_dynxml_generator.show, Alert 61,CVE-2003-1193

You're wrong. Whilst they might be installed with the portal app these are 
PL/SQL packages in the database server. If you want these removed then I 
should remove the SQLXML stuff from SQL Server as it's an add on component.

> The SOAP bug (Alert 65) is not a RDBMS bug
>    (see
> http://www.oracle.com/technology/deploy/security/pdf/2004alert65.pdf)

Again you're wrong. If you take another look at the link you provided it 
says that "Oracle9i Database Server Release 2, versions 9.2.01 and later" 
are affected. The problem lies in soap.jar and can be exploited via the 
RDBMS.

Cheers,
David

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/