Oracle has 3400% more vulnerabilities than SQL Server

November 22, 2006

There has been a lot of talk over the years about how Microsoft products are vulnerable to hacks. When I went through university many moons ago, Microsoft were certainly painted as the evil empire (not necessarily by individuals or as the university as a whole, more just an overall feeling), whilst we were the rebel alliance. We all had Linux boxes at home, running fvwm on X-Windows. And of course, one of the main arguments against Microsoft was that their products could be hacked. They were not secure, not reliable, not worth using in the real world.

Of course, I graduated from uni and got into the real world, and found that people actually did use Microsoft products (as well as others). I quickly got into both Oracle and SQL Server, and still there was a general feeling that Microsoft products (including SQL Server) were less secure than others. And it was easy to just accept this as probable fact.

I remember Jesper Johansson having a bumper sticker that said “My other computer is your Linux box”, which I thought was funny. It seems that Microsoft products are really only the most vulnerable simply because they have the word Microsoft on them. Seriously. This makes them a target, and because they are the most attacked, the net effect is that they are the most likely to suffer. Or something like that anyway.

So this morning, I came across an article which I found quite interesting.

http://www.ddj.com/blog/securityblog/archives/2006/11/the_least_vulne.html

Seems that Oracle has 3400% more (70, compared to 2) vulnerabilities. Of course, this assumes “proper execution”, and I imagine that lots of systems don’t do things that way. I think this gives even better arguments to grabbing some of the pre-built VHDs for applications like SQL Server, like this one. There are ones available through TechNet and MSDN subscriptions too.

This Post Has 3 Comments

  1. spantimonious ...

    give a man 7 watches and he’ll give you seven versions of the time. Check out secunia, factor in bug severity and the fact the article is talking “reported bugs”. Theres a lot more to it than a single ‘report’ … time to exploit, time to patch, occurrent frequency, severity, vendor openness and responsiveness … anyone can look good or bad depending on the moment in time the report snapshot chooses to use …

  2. robfarley

    Yeah, I appreciate that… but there’s some research that suggests that SQL Server isn’t too bad – which is good for the SQL world.

  3. ozczecho

    Oracle *might* have 3400% more vulnerabilities than MS SQL, but it has 5000% more features than MS SQL. Seriously after working on both databases I know which one I prefer..Transact SQL is by far the most painful language to use (errmmm maybe javascript comes close)….

Leave a Reply

LobsterPot Blogs

Blog posts by Rob Farley and other LobsterPot Solutions team members.

Search