Slashdot Mirror
Oracle Has More Flaws Than SQL Server
jcatcw writes, "Next Generation Security Software Ltd. of Surrey, England, compared bugs in Oracle and SQL Server that were reported and fixed between December 2000 and November 2006. The tally: Oracle had 233; MS SQL had 59. The products compared were Oracle 8, 9, and 10g; SQL Server 7, 2000 and 2005. From the article: '[The head of the survey said,] "The results show that the reputation that Microsoft SQL Server had back in 2002 for relatively poor security is no longer deserved."' Oracle's response: 'Measuring security is a very complex process, and customers must take a number of factors into consideration — including use-case scenarios, default configurations, as well as vulnerability remediation and disclosure policies and practices.'"
Oracle's response: 'Measuring security is a very complex process, and customers must take a number of factors into consideration -- including use-case scenarios, default configurations, as well as vulnerability remediation and disclosure policies and practices.'
Oracle's response in english: Clearly you have no idea what you're doing, because your results showed us in a poor light. Perhaps you'd like to try again. We have a bag of money for you.
The theory of relativity doesn't work right in Arkansas.
Unbreakable?
?
Oracle has a million more configuration options than SQL Server. It only makes sense that there will therefore be many more bugs.
MSSQL is a SQL Server. MySQL is a SQL Server. Oracle is a SQL Server. Please be more specific and explain which SQL Server you are talking about.
Granted, the summary does explain that the article does indeed refer to MSSQL Server, but please stop calling it just SQL Server. MSSQL Server != SQL Server
(OK, I feel better. What is the moderation for RANT?)
There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
And why did you expect it to be the other way? Because the two letters prefix? Biased.
It's time to realise that Abble's products are the biggest abomination these days. Just say NO to the dumb iAbble way!!
Anyone that has tried to read (or even tried to lift up) one of the oracle manuals knows that this is seriously feature-rich and complicated stuff. It would be more interesting to see how many bugs per line of code the two contenders have.
what about IBM DB2?
One man, one word.
While the # of vulnerabilities is unacceptable, Oracle is right ... just comparing the # of bugs is not really valid. Now if Oracle has had more Severe security violations that Microsoft, it would be a different (and far more interesting) story. Oracle is still a more robust database, so one would expect there to be more bugs than another app with fewer modules and lines of code.
Huh? Don't mind me, I'm just the new guy.
Did they also mention that Oracle has 300 times as many useful analytical features as SQL Server? I use SQL Server 2005 at work and it's pathetic. Postgres is more useful!
The number of flaws doesn't matter. a slice of cheese has one flaw as a database. It isn't a database. This doesn't make it a better product.
Not least the criteria for selecting and enumerating flaws, and any differences between those criteria for the two products. Not saying that there is a problem, just that any prospective customer needs to take this into consideration and check his facts.
This whole study reminds me of a couple of years ago, when someone decided to make a comparative list of security flaws between Windows and Linux. For the former, they only included official Microsoft security fixes. For the latter, they included just about every bug in every open source project known to man. Big surprise, Windows was found to have less flaws.
When it comes to security, trust no one. Especially not research firms, security "specialists" and people mouthing off about security on Slashdot.
Hey, waitaminute....
And remember kids: Never trust a computer you can actually lift.
Reported and fixed means that the company which doesn't fix bugs looks more secure. Not that I'm implying that MS is worse than Oracle on this, mind you. I just wanted to point out that this metric has loads of potential flaws.
See what I've been reading.
Let's see that again.
The study looked at vulnerabilities that were reported and fixed...
So, if it wasn't fixed, was it counted?
Huh? Security is not about "software development life-cycle".
That's why you have almost daily updates of anti-virus software for Microsoft products.
Big time. One remote root vulnerability is worth 10,000 local app crash vulnerabilities.
Yep. Because Ubuntu has, by default, no open ports. So it is, by default, 100% resistant to worms.
Remember, you can never count on a user applying a patch. Your system has to be as secure as possible in the default, unpatched, configuration.
Not only is it not "the best approach", it is a fucking idiotic approach only used by morons who have no understanding of what "security" is.
It's not the number of bugs. It's what access can be gained by that bug and how easily it is to invoke that bug in the various "standard" configurations.
(emphasis mine)
Now, I'll admit I haven't yet RTFA, but I think we've pretty much been through this before.
Just because there were more bugs reported and fixed in one product than another does not mean that product is more secure . There could have been hundreds of reported but as-yet-unfixed bugs in one of the products that isn't included. One company could have a greater emphasis on patching, squashing more bugs than its competitor. There could be thousands of unreported, unfixed and unknown bugs in both products. Perhaps not all of these bugs are security flaws. One product may have less bugs, but all of them are security related and none of the competitor's are. Need I go on?
The point is that these comparisons are sensationalism. The same happens in the whole 'Number of Linux patches VS Number of Windows patches' and 'Firefox flaws VS IE flaws' arguments -- and we all know the real story with those.
...and it was Slammer, you'd have to admit it was kind of a biggie.
Once I was a four stone apology. Now I am two separate gorillas.
Or perhaps weight the severity of the bugs?
I'm bitter today, but this mock-study is a joke, as are most security studies.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
All code has bugs. How many of the bugs are important to the users?
Who cares?
Facts are history now plebs have politics for religion on social media.
I think we'll stick with PostgreSQL for our little database.
The Army reading list
You tell me who does most of the meaningful transactions on-line, and I will tell you who's code is scrutinized harder. I don't know of many banks that use MS-SQL server as there back-end for transactions, and for that matter, how many large e-commerce sites use MS-SQL for there back-end? Very little I surmise.
NGS have of course done work on SQL Server for Microsoft; I refer you to the brief and rather one-sided flamewar on Bugtraq/FD that erupted when this was pointed out... actually see for yourself... (and here's the Bugtraq thread). I predict this will deal with 75% of the "but this is nonsense, because..." posts ;)
He's got a lot of credibility. This is the point I'm trying to make :)
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
Have you ever USED MS-SQL? At least the cheese doesn't take 45 minutes to report what flavor it is under normal load conditions...
NFS has More Flaws Than File Server?
yes, what exactly is the title talking about?
should be from the "No Sh*t Sherlock" department
So for from what i've seen in SQL Server 2005, it doesn't seem that bad. At work, we're experimenting with the new mirroring feature on some test servers.
x bugs reported and ignored, y bugs not reported at all and not fixed.
I worked extensively with Oracle and SQL Server for 10 years at 2 companies. I ran into bugs with both systems. There was a vast difference between how each company responded to our bug reports.
We never contacted Microsoft with anything but the most severe bugs, and only those not documented on their web site. Even having the highest contract possible with Microsoft, they charged us for each phone call. Never once did the first 3 people we talked to have a clue. After going through 3 or 4 people we got to speak to a developer. For every bug except one, we were told to wait for the next official patch or Service Pack to fix our issue. One time we were fortunate enough to have a DLL updated by a developer and sent to us directly. Response by developers was very quick, but the other staff responded slow.
At the same time, Oracle was paying out $10,000 for each bug found. I thought I found the golden ticket. Turns out someone else had reported this extremely obscure bug I found earlier, but it wasn't yet published online anywhere. Every time we contacted Oracle we got to speak to a developer very quickly. On at least one occassion they sent a developer to our office to help investigate a bug. Every bug we reported got a patch very quickly.
The support from Oracle was far far superior to Microsoft. The bugs I ran into with Oracle were also far more obscure than those I found in Microsoft's SQL Server. I couldn't believe some of the things Microsoft left broken for months. Even if Oracle has a larger number of reported bugs I'd pick them over Microsoft any day.
Developers: We can use your help.
... they are rather quick to quash and fix a discovered security bug. Yes, there's a reason why I used both words. Check out the aftermath of this example at The Daily WTF.
"Times have not become more violent. They have just become more televised."
-Marilyn Manson
First of all, the product was originally Sybase SQL Server. Sybase named it SQL Server, not Microsoft. Microsoft and Sybase were working together on it, then Microsoft gave Sybase the boot as they usually do.
Sybase's current product is very solid, very reliable, and easy to use. It is a dream to work on compared to Oracle and I've worked on all three products.
Microsoft has added some features to SQL Server, but all in all, it is probably still very much a Sybase product at its core.
SQL server has always been a second-rater in the big DB wars. DB2 and Oracle being the best. They should have stuck DB2 in there too...
Blar.
Seems like I remember MS having been sued a few years ago by a small company regarding some technology in MS SQL Server... Any such suits against Oracle?
"Reported AND FIXED"
Doesnt that mean that SQL server could have had 1000 bugs reported during that period, but only 50 or so got fixed?
It might be just poorly worded, but if this really was the metric... it doesnt really mean anything about security, in-fact one could argue that the higher number is better (since more were fixed!)
remind me again - how many times has Oracle software been used to DOS the ENTIRE freaking internet?
As a security practitioner, there are a few things that are wrong with this report:
The number of published vulnerabilities does not indicate how 'secure' a product of software is. In fact, CERT no longer allows its research numbers to be used in this way, as it is considered misleading.
Oracle has a different approach to security vulnerability reporting than MS does. Oracle follows the CVSS (Common Vulnerability Scoring System) to allow customers to determine the level of risk in _their_ environment, with _their_ configuration. MS does not follow CVSS.
Just for historical purposes, i looked to the NVD stats page (http://nvd.nist.gov/statistics.cfm) listed in the article. If you search for Oracle DB server 10gR2 in 2006, you only see 3 vulnerabilities listed. I can't see how the numbers can be accurate...
Also, let's not forget that MS has recently confirmed that they do 'silent fixing' by attempting to patch/fix multiple issues in patches, and they perform undocumented changes. Last I checked, all changes were available in the Critical Patch Updates from Oracle.
I do not pretend to stand for Oracle or MS either way, but, I do stand for a level evaluation - particuarly when it comes to security.
both databases were reported to have more bugs than the Windows notepad.
:)
Further studies also showed that the windows notepad was to be more difficult to use than pen & paper and that oranges have more juice than apples
Well gee, even if it were true, I'd still be forced to run SQL Server on frickin' Windows!
-"I ate what?"
MS SQL is a great product. Its their only product that has had years of uptime that I have only seen on Unix boxes and its easy to use and powerful. This also was back in the NT4 days which was quite impressive.
.net tools then yes its an unfair comparison. I guess I need more details on the test to know what they tested.
I think this study might not be as much fud as some are making it to be. Oracle is the kitchen sink and has many components such as development tools an d apis that come with their product. Microsoft has them as well but bundles them with MSDN and VS.net. So if you compare the development tools that come with the database agaisnt just SQL Server and not their ADO.net and other
http://saveie6.com/
...then it stands to reason that you will have a ton of additional bugs.
This argument in no way excuses Oracle for their timely patch cycle (or lack thereof), but may explain the higher number of patches.
I haven't looked at the Sybase/SQL Server family for awhile, but I assume that it still doesn't offer anything like Flashback, LogMiner, richer indexing, direct LGWR connection to DataGuard, resumable transactions, or even basic multiversioning.
XP quite good now? apparently "Patch Tuesday" isn't in your monthly things to do list.... or checking windows update every day.... and as to the google comment... if Microsoft wasn't worried about google(shocking realization i know) then why is microsoft finally changing their browsers, and msn search since google and firefox came around..? google: Latest Windows XP bugs http://www.google.com/search?hl=en&q=Latest+Window s+XP+bugs&btnG=Google+Search ...OMGZ 51,500,000 results hey everyone just ordered my Kubuntu CD's I'm heading for the virtual hill's...in truth though I prefer Slackware.
Back on topic though, I use MySQL, catching me using Oracle OR MSSQL, is a joke, with open source I don't have to scream and cry and throw chairs(reference http://www.theregister.co.uk/2005/09/05/chair_chuc king/)
I can code my own fix 99% of the time before an official one is released.
-Noc
Oh, and I assume you're talking about the TimeLine law suit? Actually that came about because TimeLine cancelled Microsoft's licensing agreement, which gave MS license to the patents. Unless you mean another law suit then please, stop trying to paint SQL Server as containing some sort of patent theft and Oracle as squeaky clean.
I be most interested in, when I'm up shit creeck with a cluster that just went "whoopy" on me, is the response/fix time by the products support.
Don't say it won't ever happen...
Supporting MS products doesn't mean you have to like them.
It's here: http://malfy.org/
"but wouldn't it be more important from a security standpoint to determine which had more bugs that were reported and not fixed? "
Actually yes and if you RTFA you will see that this is what ORacle get slammed the biggest for, not only do they have lots of holes, they have lots of known unpatched holes and hence the upcoming week of zero day exploits being released.
you don't have to admit that the biggest DOS attack in the history of the internet was big? that makes a lot of sense...
if one agrees that "the behavior of MSSQL Server users made Slammer's effect on the Internet possible" (I do) then can one not make inferences from the fact that windoze/MSSQL is the platform of choice for the clueless?
I have no doubt that freelance security researchers (the source for TFA) do indeed find more vulnerabilities in Oracle. But this is at least as much a statement about security researchers as it is about Oracle. Oracle is what everybody spends their time on because of the way it's perceived: it's the market leader, with a high-power image, and a CEO prone to wild bouts of very un-FOSS like narcissism. That makes a much higher-prestige target.
Besides, almost all of the Oracle vulnerabilities I've seen come down to configuration issues. Most of them seem to start with "ok, get a login with DBA privs", for crissakes. Perhaps if you think of "a database" as that MySQL instance running on your desktop this seems like something that is likely to happen, but you know, this is what DBAs get paid to do all day...
Unmaintanable views, doing reindexing or running a heavy takes over the server(heard of priority??) and half-assed inplementations of everything.
It starts sucking when you've used it a year or two, don't worry.
For me, it took 2 weeks to realize that the difference from 2000 is that it's *more*, not *better*. Not even *fixed*, really.
Why can't they put some serious work into the database itself, and not be so totally into charming the less knowledgeable?
BTW. Did i say i just loove postgres? *Cuddle*.
Or at least i haven't started hating i yet.
Disregarding that what we have is *known or announced* flaws, Oracle may or may not be 'better' than SQL Server as:
1) Locking down SQL Server is much harder. It is easier to run Oracle as a restricted user than SQL Server, reducing vulnerability. SQL Server, if you want to use SQL Agent, replication or other high end functions requires you to elevate the privileges under which you must run it.
2) SQL Server is *much* more reliant on the underlying OS. Which means you may want to count at least some of the OS bugs as SQL Server security bugs as well. This is especially important due to item 1 above.
3) Up to SQL Server 2005, you could run 'xp_cmdshell' and fire off commands to the server or network (xp_cmdshell' now ships disabled and it should be left as such). Combined with 1 and 2, a user with Sysadmin could be compromised, then via SQL Server Net commands could be issued as if from a command line. If the SQL Server had access to network resources or if someone was silly enough to put SQL Server on a domain controller you could end up having a very bad week.
So counts alone are no measure of quality. You really have to look at the overall picture. I don't think Oracle is a great DB when it comes to security btw, definitely not as good as Oracle would have you believe, but I also think SQL Server is deeply flawed in some ways.
putting the 'B' in LGBTQ+
I have more flaws than Oracle and SQL Server combined.
You never really know how close to the edge you can go until you fall off.
all the bullshit i see is anti microsoft oriented because you simply hate microsoft.
if you were actual programmers or administrators like you claim to be then you would just accept the fact that SQL server is A BETTER option.And if we look at SQL server 2005...we can see that Oracle simply screwed up and should really step up.
SOON.
Hate microsoft as much as you won't but for fucks sake be fair.
Their SQL server is a stable reliable and top class software out there.
Post...and mysql are children...oracle is the competition but this year they lost.
An obvious area is geospatial features.
e studies/globexplorer/) - yes, I know about Terraserver but note that Micrsosoft doesn't have to pay for their own licenses.
Oracle has Oracle Spatial. PostgreSQL has PostGIS.
With SQL Server, you need to buy an expensive third party package (like ESRI ArcSDE or MapInfo Spatial) that does not work as well as PostGIS because ESRI doesn't have the hooks they need deep enough into the database to add spatial index types.
The PostgreSQL/PostGIS GIST index types are very well suited to geospatial data. The R-trees that I believe Oracle uses are good as well. Does SQL Server have R-tree indexes?
You can say the same about extension languages - SQL Server's fine if you want to extend it in their dialect of SQL (I hear their C# stored procedures exist but are recommended against) - while with Oracle you have their (very powerful) dialect of SQL and Java - but with PostgreSQL you have Java, Perl, C#, R (a SPSS clone), Ruby, etc.
Other pretty basic SQL Server features end up being hidden in their $40000/CPU versions of their product; so you won't see them in even moderately high volume products like Cisco's switches like postgresql is - or really large databases like GlobeXplorer's (http://postgis.refractions.net/documentation/cas
So basically, yes, it's not hard to defend the claim that even the most expensive SQL Servers with the most expensive third-party-ad-ons are pretty limited compared to PostgreSQL.
My left arm has more dead skin cells than my right index finger.
Why would one even want to compare SQL server and Oracle. Are the 2 really in the same league? I have installed both at many sites and there has always been very clear criteria which dictates which gets installed at what site: Amount of users and knowledge of sysadmin. If I know I'm working with a guy with 10 users who thinks that AIX is a type of sportbike, then he gets SQL server and my direct phone #. If I'm at a site with 1500 users with top notch sysadmins then they typically get a high end unix/linux machine with either an Oracle or Informix DB. I have flat out refused to install SQL server at some sites based on the above criteria. I just don't understand the comparison. As soon as SQL server can run on something other than an intel box (and hopefully something other than Windows) and can handle the kind of workload that I expect without grinding to a halt then I might think about installing it at some of the bigger sites I work with.
That is the one product that microsoft 'got it right' with. Thou i dont agree with the new pricing structure of 05, when they hit the 2000 version it was actually a good product.
Not that im a MS fan, but i do give them credit when its due.
---- Booth was a patriot ----
There was some work at Microsoft's research labs that came out in 2001 that's directly applicable to this thread: Don Slutz's work on massive stochastic testing of SQL systems. Basically, he generated random SQL queries and threw them at several database systems, looking for discrepancies and crashes. This kind of testing is disturbingly effective at finding weird bugs.
I would not be at all surprised if Microsoft has banks of servers do nothing but continuous randomized testing of their database product.
Funny, people complain about MS products being bloatware, and here you are complaining that SQL Server doesn't have an built-in GIS solution. Its an RDBMS, not a geospatial package. How much does that Oracle Spatial cost anyway?
:-(
$40000/CPU? Which type of dollars? Or do you mean lire? More like 12000 Euro/CPU for the fully-featured Enterprise Edition. This really is the most expensive license, there are many cheaper alternatives. Note that this is per chip, irregardless of the number of cores per chip. SQL Server is cheap.
The reason people advise against using the CLR in SQL Server is because the languages it supports (the Java, C#, Perl you speak of with Postgres) are not declarative set based languages. You shouldn't be running junk like that on the database server. They are database servers, use the languages that they were built for. Only developers would want to run procedural languages on an RDBMS
What about our friends from IBM with DB2 and our friends at MySQL and PostgreSQL?
I realize they're only comparing the two, but why?
That's a bit like only comparing BMW and Lincoln when comparing car brands for safety. Sure, it's useful to see one relative to the other, but removed from the overall marketplace, it's not a particularly useful comparison.
Running 'Nix is like owning a Lightsaber. It's "a more elegant weapon for a more civilized time."
oracle beats down sql server.
period
oh, and try running sql server on a real server. (sybase doesn't count)
The article states "...233 vulnerabilities in Oracle's products compared with 59 in Microsoft's SQL Server technology". It compares Oracle producs to SQL server. I get the Oracle bug lists and more often than not they are not database vulnerabilities but rather vulnerabilities in their tools like SQL*Plus, iAS application server etc. I wonder if anyone has a true count of database-only vulnerabilities? One might also be tempted to turn M$ lovers' own logic back on them: "Oracle has more vulnerabilities because more people use it than SQL Server"
Yes, because it's hard to compare against Microsoft SQL Server 2005's ZERO PUBLISHED SECURITY BUGS. That's right folks, Secunia have listed no security vunerablities in Microsoft SQL Server 2005 at all.
(For comparison, Oracle 10g's entry, with six hits from 2006, one of which they list as unpatched and another as partially patched. 13 advisories overall.)
In other irrelevant comparisons, drag race VW's go through more transmissions in a hundred miles than a stock bugs will in a hundred thousand highway miles. Does that mean drag race trannies are inferior, or does it mean stock trannies are better? Or did we omit something important from our comparison?
-fb Everything not expressly forbidden is now mandatory.
The fact that thre are actually ppl who are comparing Oracle RDBMS with MSSQL is hilarious.
I did not read TFA..and I think its a waste of time to do so.
I mean you can compare Oracle with DB2 (and that wouldn't be fair yet...but at least i will start listening)
BUT MSSQL is barely comapred to MS Access...
enough said.
The lunatic is in my head
The problem with that is disclosure. Vendors typically dont disclose the bug until after the patch is out, and many security companies like NGS have a policy to not disclose until either the vendor has okayed it or a sufficient time to patch has passed. And even then, the vendor sometimes hides security patches in other updates.
So in other words, we dont know how many vulnerabilities exist until they are patched.
So at least Microsoft is improving its security issues. But I reckon Oracle is working hard to fix bugs.
Bhavesh
Source to top search engine ranking
I really like Postgresql too. It is just easy and works right. And, of course, is the oldest. I'm not sure of how Postgres compares to Mysql. Seen any good comparisons?
Having worked with all of them from the programmer's viewpoint I can definitely say none stands out as steller adn all offer the same feature set. I always hear people state Oracle has high performance but NEVER saw that to be true. What I saw alot of was having to hand-tune the indexes. Oracle's query optimizer must not work. Even in join queries unused fields have to be selected due to Oracle's non-working query optimizer. That said, it probably still performs better than SQL Server. Just about the same as db2 or postgres in my testing. Actually, for some things like inserts Oracle sucks. Of course Teradata could be much faster for complex queries but nwo one is largely talking about hardware - and that's the jist of it. Most of the ideas really are comparing Oracle on a quad server with 12GB RAM to something else on a PC. With today's PC's going toward Dual Core and 4 GB of RAM (that's what Serviza presently sells as a Linux desktop - http://www.serviza.com/ the argument is sorta becoming more clear.
Also, the failure of Oracle to provide even decent programmer tools is disgusting. In the Open Source world I have an arsenal of tools to work with Postgres and Mysql. Really, there is not legitimate reason to pay money for an RDBMS system. Set theory has been well-understood for decades and the major commercial RDBMS vendors are not innovating. In 15 years of software projects I've yet to see one that could not have been done with today's Mysql or Postgresql. But I've seens millions handed to Oracle over and over and tens of thousands handed to Microsoft. To me, Oracle is the premier example of selling the same thing as everyone else but charging 10 times as much. It's like buying a hotdog at the game - you're paying $5 for something that costs 50 cents. "The Million Dollar Pizza" book addresses this waste on a personal level but on a corporate level the exc.s are too busy scamming the company to worry about its long term health. Anyone buying Microsoft SQL Server or Oracle in 2007 ought to have their head examined and probably the investment docked from their paycheck. Of course momentum and other arguments apply and that's why companies still spend millions on Mainframes to do what a PDA of today could do.
My $.02,
TimJowers
Expect Freedom.
Seriously, how many people need a GIS solution integrated into their RDBMS? No doubt some do, but that is a niche feature that is probably infrequently used and a very weak argument.
.NET as being flawed, but champion Java support. That is a 100% religious argument and does nothing but show your personal bias.
Regarding the language support, you imply that using Microsoft specific SQL extensions as being bad and in the same breath tout Oracle specific SQL extensions as being a good thing. Make up your mind. Are vendor specific extensions good or bad? Similar issue with support for other languages as you discount
That mirroring features is a pain in the ass to get working for smaller shops that don't use domains. It only works on a single database at a time. Guess what.. users stored in that database are mapped to logins using SIDs, those logins don't get mirrored though..... You have to fix everything with the logins if you want to go swap over to the secondary server. It's a particular issue I'm dealing with right now. The main thing I was griping about though was the lack of analytical features compared to postgres, or even oracle. Try doing a running average without a cross join. -- Good luck.