Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair compa

from [Shawn Fitzgerald] Network Security [Permanent Link]
Subject: RE: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?)
Date: Tue, 28 Nov 2006 19:41:59 -0800
Not that I disagree (or know for that matter) but at blogs.oracle.com/ security/ they state that they, "Disclose the existence of vulnerabilities once cured, even if they are discovered internally."

Maybe someone should leave a comment correcting them or better yet invite them to discuss some of the issues brought up on this list.

Cheers, Shawn


-----Original Message-----

From: David Litchfield [

mailto:davidl@ngssoftware.com]
Sent: Tuesday, November 28, 2006 9:01 AM
To: Steven M. Christey; bugtraq@securityfocus.com
Subject: Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?)
Hi Steven,
> For example, there appears to be distinct difference in editorial
> policy between Oracle and Microsoft in terms of publishing
> vulnerabilities that the vendors discovered themselves, instead of
> third parties. This might produce larger numbers for Oracle, which
> appears to include internally discovered vulnerabilities in their
> advisories, whereas this is not necessarily the case for Microsoft
> [2], [3].
Oracle do not report issues they've found internally in their alerts. Every DBn in their alerts marries up to "public" flaws.
> In both cases, the lack of details can mean that multiple issues wind
> up with one public identifier; for example, Oracle Vuln#
> DB01 from CPU Jul 2006 (CVE-2006-3698) might involve 10 different
> issues, and this is not an isolated case. This can further muddy the
> waters.
...which is why I broke every actual flaw down in the document. For example the following flaws are all covered by CVE-2002-0154
xp_proxiedmetadata overflow CAN-2002-0154 MS02-020 xp_mergelineages overflow CAN-2002-0154 MS02-020 xp_controlqueueservice overflow CAN-2002-0154 MS02-020 xp_createprivatequeue overflow CAN-2002-0154 MS02-020 xp_createqueue overflow CAN-2002-0154 MS02-020 xp_decodequeuecmd overflow CAN-2002-0154 MS02-020 xp_deleteprivatequeue overflow CAN-2002-0154 MS02-020 xp_deletequeue overflow CAN-2002-0154 MS02-020 xp_displayqueuemesgs overflow CAN-2002-0154 MS02-020 xp_oledbinfo overflow CAN-2002-0154 MS02-020 xp_readpkfromqueue overflow CAN-2002-0154 MS02-020 xp_readpkfromvarbin overflow CAN-2002-0154 MS02-020 xp_repl_encrypt overflow CAN-2002-0154 MS02-020 xp_resetqueue overflow CAN-2002-0154 MS02-020 xp_unpackcab overflow CAN-2002-0154 MS02-020
If someone is willing to sit down and do the research the details are "out there" and in a paper such as the comparison it was imperative to have these details.
Cheers,
David Litchfield


[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  OWASP JBroFuzz 0.3 Fuzzer Released!, subere
Next by Date:  New Windows tool - PWDumpX v1.0, Reed Arvin
Previous by Thread:  Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?), David Litchfield
Next by Thread:  [Full-disclosure] AttackAPI 2.0 alpha, pdp (architect)
Indexes:  [Date] [Thread] [Top] [All Lists]