Microsoft beats Oracle in security showdown

Microsoft is beating Oracle hands down with the security of its database, according to a new report.

David Litchfield, a security researcher with NGS Software, published a whitepaper entitled Which database is more secure? Oracle vs. Microsoft (PDF download) on 21 November comparing the number of software vulnerabilities patched by both vendors in their respective products in the past six years.

Microsoft patched 59 vulnerabilities in its SQL Server 7, 2000 and 2005 databases during the period, while Oracle issued 233 patches for software flaws in its Oracle 8, 9 and 10g databases.

The research also pointed out that Microsoft has not issued a single security bulletin for its databases since mid-2003, whereas Oracle has seen a spike in patches in recent years.

View: Vnunet.com

Report a problem with article
Previous Story

Firefox, IE vulnerable to fake login pages?

Next Story

DoubleSafety 3.6 released

33 Comments

Commenting is disabled on this article.

This isn't one of those "studies" where MS pays some company to come to a predetermined conclusion, such as "Linux is more expensive", is it?

If not, fair game to Microsoft, if it is, then it's just more of the same.

An absolutely key point is the amount of time spent hunting vulnerabilities on each product.

Saying X has 200 and Y has 300 known vulns is useless unless you can also state 2000 hrs were spent researching X, and 1500 researching Y. Even then it's not great, but gives you a better indication of whether it's a fair comparison.

Although I cannot contest the truth of this article let me just make a few ultra cynical points :
1. What if Oracle releases patches more quickly than MS, and thus does not have as many cumulative patches
2. What if Oracle is more proactive about bug patching, thus releases more patches, or just releases more patches because in someone elses' eyes it means they are more secure/doing more to protect their customers
3. I personally have experienced more than a few security holes in SQL Server first hand, and can say that if 2005 is solid, it must be quite a bit better than 2000.
4. Who did MS buy SQL server from anyways, they should get the credit for the secure design.
5. How do you know MS dosen't release less patches to look better, opting for worse customer security in favor of better reviews like this one?

releasing a patch != fixing every affected system - though it does shift the burden.

The fact that there were security problems in it in the first place is a bad thing to start out with. Fixing them is a good thing obviously. The time it took from discovery to a fix is a good measure for responsiveness.

But you've gotta look at all of these things - known vulnerabilities, % fixed vulnerabilities and time to fix. Its bad if the first or the last item is a high number, and good if the second one is a high number. While we're at it, might as well toss in some other metrics, like "how bad" the vulnerability is. Is it remotely exploitable? What kind of damage can be caused by it? Etc. etc.

Someone blogging on MSDN has a really interesting discussion (with a lot of data) on security vulnerabilities in Windows versus a flavor or two of Linux - the actual single discussion there isn't whats noteworthy though - its the metrics and the methods that he uses to try to come to conclusions. I'd be curious to see his techniques applied to these products (SQL Server/Oracle) as well.


you guys have to realize that MS SQL Server is a VERY solid product! It's definatly one of the best enterprise database packadges out there, and I've used everything from dBase to Pervasive and Oracle to MS SQL Server... MS SQL Server is very secure, stable, and from my experience well generally works better then Oracle in a lot of areas... and you can't say its not a market leader either so it wont be as vulnerable (the windows vs OSX debate) because SQL Server is used LOTS of places including some of the biggest companies in the world... MS SQL and Oracle have a near equal install base and MS SQL is gaining big on Oracle because of its stability, lack of needing patched, and its efficiency... so this is no supprise at all to a DBA to see a story like this

The number of patches doesn't matter anymore because there're no 100% safe software out there, the important thing is how the developers responds to the bugs. I think Microsoft is relative safe, they always are fixing their bugs.

Who cares how many holes were patched?

Give me the numbers of unpatched holes. That's the measure of security.

Sure, it could be Microsoft having less there, I'm not trying to defend Oracle, just saying these statistics are quite irrelevant. If an application has more holes patched over some duration with the end result being less open holes than another, I'd definitely pick that one.

As pointed out elsewhere on this thread, people may look for vulnerabilities more in Oracle, but on the same token people also say that other OSs are more secure because noone is looking for vulnerabilities there (no market leader = more secure). Not fair. If it's not affecting you or the market in any way, it's not really a hole -- there are thousands if not millions of "unpatched holes" out there but until it has meaningful market impact, that also isn't a measure of security (or lack thereof).

The amount of bugs found doesn't matter, as there will always be bugs in software, the more the larger it is.

The thing that does matter, is how long it takes for the patch to get released.

And for the fact that they haven't issued any security bulletins since mid 2003 doesn't mean that there wouldn't be any bugs, it just means that they don't say that there is.

Same goes for Oracle, who knows how many bugs there really is? Probably way more than 233. The important thing is that they get fixed fast after they have been caught, especially when they are critical ones.

Seems MS is finally getting their stuff together. Good for them, as people would otherwise stop using their stuff.
Oracle obviously has been far too lax and neglicient in security matters lately.

Depending on how many open holes there are, these statistics may just as well show Oracle has been more active in their bug search + patching. I don't really understand how a number of patched holes can indicate anything other than they're doing a good work patching up their software. Software of this magnitude rarely come without problems anyway.

Bishi is correct. Orace is the market leader in the database world and has more active people searching for bugs. Do you all seriously think that a MS product doesn't have bugs?

and yes, I am an oracle DBA

just because MS have only patched 59 vulnerabilites, doesn't mean there isn't another 1000 to patch. IMO there are more ppl and businesses using ORACLE in more mission critical applications, so of course they will find more bugs.

Good on Microsoft though for producing a great product, they have definately stepped up in the last year or so.

No matter what the software is, there will always be bugs to fix. Stating that MS has a potential for more when over the past 5 years they've only had 59, compared to Oracle having over 200 sounds a bit on the weak side -- argument wise.

IMO, number of vulnerabilities fixed does not equate to more secure. I say have both products configured by each manufacturer and unleash the hackers to try and break in.

Microsoft patched 59 vulnerabilities in its SQL Server 7, 2000 and 2005 databases during the period, while Oracle issued 233 patches for software flaws in its Oracle 8, 9 and 10g databases.

233? And people say Microsoft is bad with patches

BTW this is no fanboy comment. If tsutton has an issue with what I said and takes it as a fanboy comment, I honestly don't care. I can't stand fanboys.

But I will point out that:

*waits for the fanboys to comment*

Is a pure fanboy comment in all its glory. Troll somewhere else tsutton

How ironic, the first comment was the most worthless of all... Nevertheless, I would say it is good for Microsoft to get their software more secure.. They are one of the best software maker...

Quote - NightmarE D said @ #1
233? And people say Microsoft is bad with patches
The problem I have with this security comparison is that it seems to be primarily based on number of patches. And using the 'logic' that a larger number is automatically bad.

Debian Sid has a whopping 832 Secunia advisories. Users get frequent patches. Is this bad? Lets look a little deeper: Oh, there is one "unpatched" flaw in all those hundreds. The point that this illustrates? That no single metric will make an accurate security evaluation.

Microsoft has been doing a good job in the security arena, no doubt there. But this "report" isn't in-depth enough to draw the conclusions it does, from what I see.

Quote - markjensen said @ #3.2
The problem I have with this security comparison is that it seems to be primarily based on number of patches. And using the 'logic' that a larger number is automatically bad.

Exactly, a large number of patches means a company is doing a good job fixing open issues. A better comparison would be to analyze how many issues are currently open, their severity, and time to fix.

I believe if you rate these products with this criteria (IMHO & work experience), SS is getting better but Oracle wins hands down as the top and more secure enterprise database.

I don't care how insecure oracle is. They have built in BLAST and I'll keep using it for that reason alone.

Personally, I reckon MS is finally getting their head around things these days focusing on quality products and meeting customer satisfaction.

Quote - Elliott said @ #1.2

Erm, what? Mac OS X, with 4 unpatched vulnerabilities. Windows XP, with 29 unpatched vulnerabilities.

You are the one who posted about Windows XP. Everyone else here is talking about Enterprise products, which Windows XP is not. If you compare Mac OS X and Windows 2003, you will see that the most severe unpatched vulnerability that Max OS X has is highly critical while the most severe unpatched vulnerability that Windows 2003 Server has is Less Critical:

http://secunia.com/product/1176/
http://secunia.com/product/1173/
http://secunia.com/product/1174/
http://secunia.com/product/1175/

Linux is not in much better shape, with 18 unpatched vulnerabilities, with the most severe being Moderately Critical, in Linux 2.6.x:

http://secunia.com/product/2719/

If you compare the number and severity of vulnerabilities by market share, Windows 2003 Server is the most secure, followed by Linux 2.6.x with Mac OS X being the most insecure server operating system on the market. Of course, that does not include Unix, but there is no standard Unix kernel like there is with Linux, so it is harder to place Unix's security.

Quote - Shining Arcanine said @ #1.3

You are the one who posted about Windows XP. Everyone else here is talking about Enterprise products, which Windows XP is not.


Well, for one, nobody said this thread of discussion was limited to Enterprise products. Two, Windows Server 2003 isn't running on each of the desktops at any given workplace, so you've still got Windows 2000/XP running on a majority of the systems. Since it's so dominant in the workplace, we'll just say Microsoft might as well classify it as an Enterprise product, in which case Microsoft should work harder to patch XP like they do Server 2003.

Quote - Elliott said @ #1.4
Well, for one, nobody said this thread of discussion was limited to Enterprise products. Two, Windows Server 2003 isn't running on each of the desktops at any given workplace, so you've still got Windows 2000/XP running on a majority of the systems. Since it's so dominant in the workplace, we'll just say Microsoft might as well classify it as an Enterprise product, in which case Microsoft should work harder to patch XP like they do Server 2003.

Oracle's software is exclusively enterprise software. The news post is comparing Microsoft's offerings with Oracle's offerings. The idea that we are talking about enterprise software is implied.