Slashdot Mirror
Oracle Has More Flaws Than SQL Server
jcatcw writes, "Next Generation Security Software Ltd. of Surrey, England, compared bugs in Oracle and SQL Server that were reported and fixed between December 2000 and November 2006. The tally: Oracle had 233; MS SQL had 59. The products compared were Oracle 8, 9, and 10g; SQL Server 7, 2000 and 2005. From the article: '[The head of the survey said,] "The results show that the reputation that Microsoft SQL Server had back in 2002 for relatively poor security is no longer deserved."' Oracle's response: 'Measuring security is a very complex process, and customers must take a number of factors into consideration — including use-case scenarios, default configurations, as well as vulnerability remediation and disclosure policies and practices.'"
Oracle's response: 'Measuring security is a very complex process, and customers must take a number of factors into consideration -- including use-case scenarios, default configurations, as well as vulnerability remediation and disclosure policies and practices.'
Oracle's response in english: Clearly you have no idea what you're doing, because your results showed us in a poor light. Perhaps you'd like to try again. We have a bag of money for you.
The theory of relativity doesn't work right in Arkansas.
Oracle has a million more configuration options than SQL Server. It only makes sense that there will therefore be many more bugs.
MSSQL is a SQL Server. MySQL is a SQL Server. Oracle is a SQL Server. Please be more specific and explain which SQL Server you are talking about.
Granted, the summary does explain that the article does indeed refer to MSSQL Server, but please stop calling it just SQL Server. MSSQL Server != SQL Server
(OK, I feel better. What is the moderation for RANT?)
There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
Anyone that has tried to read (or even tried to lift up) one of the oracle manuals knows that this is seriously feature-rich and complicated stuff. It would be more interesting to see how many bugs per line of code the two contenders have.
what about IBM DB2?
One man, one word.
While the # of vulnerabilities is unacceptable, Oracle is right ... just comparing the # of bugs is not really valid. Now if Oracle has had more Severe security violations that Microsoft, it would be a different (and far more interesting) story. Oracle is still a more robust database, so one would expect there to be more bugs than another app with fewer modules and lines of code.
Huh? Don't mind me, I'm just the new guy.
The number of flaws doesn't matter. a slice of cheese has one flaw as a database. It isn't a database. This doesn't make it a better product.
Not least the criteria for selecting and enumerating flaws, and any differences between those criteria for the two products. Not saying that there is a problem, just that any prospective customer needs to take this into consideration and check his facts.
This whole study reminds me of a couple of years ago, when someone decided to make a comparative list of security flaws between Windows and Linux. For the former, they only included official Microsoft security fixes. For the latter, they included just about every bug in every open source project known to man. Big surprise, Windows was found to have less flaws.
When it comes to security, trust no one. Especially not research firms, security "specialists" and people mouthing off about security on Slashdot.
Hey, waitaminute....
And remember kids: Never trust a computer you can actually lift.
Reported and fixed means that the company which doesn't fix bugs looks more secure. Not that I'm implying that MS is worse than Oracle on this, mind you. I just wanted to point out that this metric has loads of potential flaws.
See what I've been reading.
Let's see that again.
The study looked at vulnerabilities that were reported and fixed...
So, if it wasn't fixed, was it counted?
Huh? Security is not about "software development life-cycle".
That's why you have almost daily updates of anti-virus software for Microsoft products.
Big time. One remote root vulnerability is worth 10,000 local app crash vulnerabilities.
Yep. Because Ubuntu has, by default, no open ports. So it is, by default, 100% resistant to worms.
Remember, you can never count on a user applying a patch. Your system has to be as secure as possible in the default, unpatched, configuration.
Not only is it not "the best approach", it is a fucking idiotic approach only used by morons who have no understanding of what "security" is.
It's not the number of bugs. It's what access can be gained by that bug and how easily it is to invoke that bug in the various "standard" configurations.
...and it was Slammer, you'd have to admit it was kind of a biggie.
Once I was a four stone apology. Now I am two separate gorillas.
Or perhaps weight the severity of the bugs?
I'm bitter today, but this mock-study is a joke, as are most security studies.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
All code has bugs. How many of the bugs are important to the users?
Who cares?
Facts are history now plebs have politics for religion on social media.
I think we'll stick with PostgreSQL for our little database.
The Army reading list
NGS have of course done work on SQL Server for Microsoft; I refer you to the brief and rather one-sided flamewar on Bugtraq/FD that erupted when this was pointed out... actually see for yourself... (and here's the Bugtraq thread). I predict this will deal with 75% of the "but this is nonsense, because..." posts ;)
He's got a lot of credibility. This is the point I'm trying to make :)
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
Have you ever USED MS-SQL? At least the cheese doesn't take 45 minutes to report what flavor it is under normal load conditions...
NFS has More Flaws Than File Server?
yes, what exactly is the title talking about?
So for from what i've seen in SQL Server 2005, it doesn't seem that bad. At work, we're experimenting with the new mirroring feature on some test servers.
x bugs reported and ignored, y bugs not reported at all and not fixed.
I worked extensively with Oracle and SQL Server for 10 years at 2 companies. I ran into bugs with both systems. There was a vast difference between how each company responded to our bug reports.
We never contacted Microsoft with anything but the most severe bugs, and only those not documented on their web site. Even having the highest contract possible with Microsoft, they charged us for each phone call. Never once did the first 3 people we talked to have a clue. After going through 3 or 4 people we got to speak to a developer. For every bug except one, we were told to wait for the next official patch or Service Pack to fix our issue. One time we were fortunate enough to have a DLL updated by a developer and sent to us directly. Response by developers was very quick, but the other staff responded slow.
At the same time, Oracle was paying out $10,000 for each bug found. I thought I found the golden ticket. Turns out someone else had reported this extremely obscure bug I found earlier, but it wasn't yet published online anywhere. Every time we contacted Oracle we got to speak to a developer very quickly. On at least one occassion they sent a developer to our office to help investigate a bug. Every bug we reported got a patch very quickly.
The support from Oracle was far far superior to Microsoft. The bugs I ran into with Oracle were also far more obscure than those I found in Microsoft's SQL Server. I couldn't believe some of the things Microsoft left broken for months. Even if Oracle has a larger number of reported bugs I'd pick them over Microsoft any day.
Developers: We can use your help.
... they are rather quick to quash and fix a discovered security bug. Yes, there's a reason why I used both words. Check out the aftermath of this example at The Daily WTF.
"Times have not become more violent. They have just become more televised."
-Marilyn Manson
Actually, the argument here is because a product has less bugs reported and fixed, it is therefore more secure than one with less bugs reported and fixed.
That this metric is clearly bogus is, well, pretty obvious, since with two initially identical products, with the same bugs reported, the product which has the fewest bugs fixed will be rated "more secure".
First of all, the product was originally Sybase SQL Server. Sybase named it SQL Server, not Microsoft. Microsoft and Sybase were working together on it, then Microsoft gave Sybase the boot as they usually do.
Sybase's current product is very solid, very reliable, and easy to use. It is a dream to work on compared to Oracle and I've worked on all three products.
Microsoft has added some features to SQL Server, but all in all, it is probably still very much a Sybase product at its core.
My spidey senses tell me that you've never actually used SQL Server at all.
SQL server has always been a second-rater in the big DB wars. DB2 and Oracle being the best. They should have stuck DB2 in there too...
Blar.
"Reported AND FIXED"
Doesnt that mean that SQL server could have had 1000 bugs reported during that period, but only 50 or so got fixed?
It might be just poorly worded, but if this really was the metric... it doesnt really mean anything about security, in-fact one could argue that the higher number is better (since more were fixed!)
both databases were reported to have more bugs than the Windows notepad.
:)
Further studies also showed that the windows notepad was to be more difficult to use than pen & paper and that oranges have more juice than apples
Well gee, even if it were true, I'd still be forced to run SQL Server on frickin' Windows!
-"I ate what?"
MS SQL is a great product. Its their only product that has had years of uptime that I have only seen on Unix boxes and its easy to use and powerful. This also was back in the NT4 days which was quite impressive.
.net tools then yes its an unfair comparison. I guess I need more details on the test to know what they tested.
I think this study might not be as much fud as some are making it to be. Oracle is the kitchen sink and has many components such as development tools an d apis that come with their product. Microsoft has them as well but bundles them with MSDN and VS.net. So if you compare the development tools that come with the database agaisnt just SQL Server and not their ADO.net and other
http://saveie6.com/
... not to mention that it's virtually impossible to lose data in an Oracle database. You can literally take a mish-mash of old backups from an Oracle db and have a solid chance of recovering your data if you run in archive log mode. I can't imagine anybody keeping data they give a damn about in MS-SQL, especially considering that it only runs on one of the most insecure OSes known to man. Yeah, Oracle is way too expensive and complex, but if you need your data available 99.999%, it's really does offer the best guarantee of meeting that availability.
Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws-Plato
How did this get modded "informative?" There's no actual information in the post, aside from a claim about "300 times as many useful analytical features," while providing no definition for "useful," much less anything like even a glimpse of what those "usefule analytical features" are.
Really, this post parses to: Product A is WAY better than brand X! Even product C is better than brand X!
I see claims like that in TV ads all the time; I'm not tempted to call them "informative."
Reality has a conservative bias: it conserves mass, energy, momentum...
If you were going to compare you should have also looked up Microsoft SQL server for 2006 when there were 0. You should note that MS SQL Server isn't broken down by versions either.
...then it stands to reason that you will have a ton of additional bugs.
This argument in no way excuses Oracle for their timely patch cycle (or lack thereof), but may explain the higher number of patches.
I haven't looked at the Sybase/SQL Server family for awhile, but I assume that it still doesn't offer anything like Flashback, LogMiner, richer indexing, direct LGWR connection to DataGuard, resumable transactions, or even basic multiversioning.
XP quite good now? apparently "Patch Tuesday" isn't in your monthly things to do list.... or checking windows update every day.... and as to the google comment... if Microsoft wasn't worried about google(shocking realization i know) then why is microsoft finally changing their browsers, and msn search since google and firefox came around..? google: Latest Windows XP bugs http://www.google.com/search?hl=en&q=Latest+Window s+XP+bugs&btnG=Google+Search ...OMGZ 51,500,000 results hey everyone just ordered my Kubuntu CD's I'm heading for the virtual hill's...in truth though I prefer Slackware.
Back on topic though, I use MySQL, catching me using Oracle OR MSSQL, is a joke, with open source I don't have to scream and cry and throw chairs(reference http://www.theregister.co.uk/2005/09/05/chair_chuc king/)
I can code my own fix 99% of the time before an official one is released.
-Noc
Oh, and I assume you're talking about the TimeLine law suit? Actually that came about because TimeLine cancelled Microsoft's licensing agreement, which gave MS license to the patents. Unless you mean another law suit then please, stop trying to paint SQL Server as containing some sort of patent theft and Oracle as squeaky clean.
There are also a couple of minor issues which aren't mentioned:
1. If you're buying software rather than developing it yourself, the first question isn't "is the database secure?", it's "does this software solve my problem?".
2. If you are developing software yourself and you're concerned about security, you should be putting a firewall between the database server and the app server, and setting various standards in your development processes which say things like "all data will be checked before being passed to the database"; furthermore you would test for such things as part of your standard test routine.
I be most interested in, when I'm up shit creeck with a cluster that just went "whoopy" on me, is the response/fix time by the products support.
Don't say it won't ever happen...
Supporting MS products doesn't mean you have to like them.
I have no doubt that freelance security researchers (the source for TFA) do indeed find more vulnerabilities in Oracle. But this is at least as much a statement about security researchers as it is about Oracle. Oracle is what everybody spends their time on because of the way it's perceived: it's the market leader, with a high-power image, and a CEO prone to wild bouts of very un-FOSS like narcissism. That makes a much higher-prestige target.
Besides, almost all of the Oracle vulnerabilities I've seen come down to configuration issues. Most of them seem to start with "ok, get a login with DBA privs", for crissakes. Perhaps if you think of "a database" as that MySQL instance running on your desktop this seems like something that is likely to happen, but you know, this is what DBAs get paid to do all day...
Disregarding that what we have is *known or announced* flaws, Oracle may or may not be 'better' than SQL Server as:
1) Locking down SQL Server is much harder. It is easier to run Oracle as a restricted user than SQL Server, reducing vulnerability. SQL Server, if you want to use SQL Agent, replication or other high end functions requires you to elevate the privileges under which you must run it.
2) SQL Server is *much* more reliant on the underlying OS. Which means you may want to count at least some of the OS bugs as SQL Server security bugs as well. This is especially important due to item 1 above.
3) Up to SQL Server 2005, you could run 'xp_cmdshell' and fire off commands to the server or network (xp_cmdshell' now ships disabled and it should be left as such). Combined with 1 and 2, a user with Sysadmin could be compromised, then via SQL Server Net commands could be issued as if from a command line. If the SQL Server had access to network resources or if someone was silly enough to put SQL Server on a domain controller you could end up having a very bad week.
So counts alone are no measure of quality. You really have to look at the overall picture. I don't think Oracle is a great DB when it comes to security btw, definitely not as good as Oracle would have you believe, but I also think SQL Server is deeply flawed in some ways.
putting the 'B' in LGBTQ+
I have more flaws than Oracle and SQL Server combined.
You never really know how close to the edge you can go until you fall off.
An obvious area is geospatial features.
e studies/globexplorer/) - yes, I know about Terraserver but note that Micrsosoft doesn't have to pay for their own licenses.
Oracle has Oracle Spatial. PostgreSQL has PostGIS.
With SQL Server, you need to buy an expensive third party package (like ESRI ArcSDE or MapInfo Spatial) that does not work as well as PostGIS because ESRI doesn't have the hooks they need deep enough into the database to add spatial index types.
The PostgreSQL/PostGIS GIST index types are very well suited to geospatial data. The R-trees that I believe Oracle uses are good as well. Does SQL Server have R-tree indexes?
You can say the same about extension languages - SQL Server's fine if you want to extend it in their dialect of SQL (I hear their C# stored procedures exist but are recommended against) - while with Oracle you have their (very powerful) dialect of SQL and Java - but with PostgreSQL you have Java, Perl, C#, R (a SPSS clone), Ruby, etc.
Other pretty basic SQL Server features end up being hidden in their $40000/CPU versions of their product; so you won't see them in even moderately high volume products like Cisco's switches like postgresql is - or really large databases like GlobeXplorer's (http://postgis.refractions.net/documentation/cas
So basically, yes, it's not hard to defend the claim that even the most expensive SQL Servers with the most expensive third-party-ad-ons are pretty limited compared to PostgreSQL.
My left arm has more dead skin cells than my right index finger.
Why would one even want to compare SQL server and Oracle. Are the 2 really in the same league? I have installed both at many sites and there has always been very clear criteria which dictates which gets installed at what site: Amount of users and knowledge of sysadmin. If I know I'm working with a guy with 10 users who thinks that AIX is a type of sportbike, then he gets SQL server and my direct phone #. If I'm at a site with 1500 users with top notch sysadmins then they typically get a high end unix/linux machine with either an Oracle or Informix DB. I have flat out refused to install SQL server at some sites based on the above criteria. I just don't understand the comparison. As soon as SQL server can run on something other than an intel box (and hopefully something other than Windows) and can handle the kind of workload that I expect without grinding to a halt then I might think about installing it at some of the bigger sites I work with.
A database engine is only as good as the way it was depolyed. just because a product is from Vendor B instead of Vendor A, doesnt mean that product is going to be instantly better and gaurentee 5 nines. Oracle on a crappy box, no real backups, and a smack-tard of a dba thinking he can be a system/network as well? Well, thats a crap shoot. MS-SQL on a cluster with HA boxes with a steller Fibre Channel and Ethernet/IP backend, killer DBA's and network/sysadmins, strong backup policy and methods? I think those databases will stand a lot better chance of hitting 5 nines. I'm not being a Oracle hater or a MS-SQL fanboy, but data availablity is not just about the RDBMS alone. Its also about the environment the RDBMS is depolyed in.
Oh btw, I've MS-SQL running mission critical databases for years, and I've never had to say "We lost data". It aint luck that keeps me from saying that.
That is the one product that microsoft 'got it right' with. Thou i dont agree with the new pricing structure of 05, when they hit the 2000 version it was actually a good product.
Not that im a MS fan, but i do give them credit when its due.
---- Booth was a patriot ----
There was some work at Microsoft's research labs that came out in 2001 that's directly applicable to this thread: Don Slutz's work on massive stochastic testing of SQL systems. Basically, he generated random SQL queries and threw them at several database systems, looking for discrepancies and crashes. This kind of testing is disturbingly effective at finding weird bugs.
I would not be at all surprised if Microsoft has banks of servers do nothing but continuous randomized testing of their database product.
What about our friends from IBM with DB2 and our friends at MySQL and PostgreSQL?
I realize they're only comparing the two, but why?
That's a bit like only comparing BMW and Lincoln when comparing car brands for safety. Sure, it's useful to see one relative to the other, but removed from the overall marketplace, it's not a particularly useful comparison.
Running 'Nix is like owning a Lightsaber. It's "a more elegant weapon for a more civilized time."
The article states "...233 vulnerabilities in Oracle's products compared with 59 in Microsoft's SQL Server technology". It compares Oracle producs to SQL server. I get the Oracle bug lists and more often than not they are not database vulnerabilities but rather vulnerabilities in their tools like SQL*Plus, iAS application server etc. I wonder if anyone has a true count of database-only vulnerabilities? One might also be tempted to turn M$ lovers' own logic back on them: "Oracle has more vulnerabilities because more people use it than SQL Server"
I think he meant "MS Access".
Seriously, I wish people could come up with cogent arguments instead of "sux, half-assed implementation, or crashes all the time"
My organization uses SQL SERVER 2005 and we have had nothing but great success. I especially love the XML data type with schema binding. In my recollection, the only failures we have had was either hardware-based or DBA-error.
Cheers!
-- Posted from my parent's basement
In other irrelevant comparisons, drag race VW's go through more transmissions in a hundred miles than a stock bugs will in a hundred thousand highway miles. Does that mean drag race trannies are inferior, or does it mean stock trannies are better? Or did we omit something important from our comparison?
-fb Everything not expressly forbidden is now mandatory.
I really like Postgresql too. It is just easy and works right. And, of course, is the oldest. I'm not sure of how Postgres compares to Mysql. Seen any good comparisons?
Having worked with all of them from the programmer's viewpoint I can definitely say none stands out as steller adn all offer the same feature set. I always hear people state Oracle has high performance but NEVER saw that to be true. What I saw alot of was having to hand-tune the indexes. Oracle's query optimizer must not work. Even in join queries unused fields have to be selected due to Oracle's non-working query optimizer. That said, it probably still performs better than SQL Server. Just about the same as db2 or postgres in my testing. Actually, for some things like inserts Oracle sucks. Of course Teradata could be much faster for complex queries but nwo one is largely talking about hardware - and that's the jist of it. Most of the ideas really are comparing Oracle on a quad server with 12GB RAM to something else on a PC. With today's PC's going toward Dual Core and 4 GB of RAM (that's what Serviza presently sells as a Linux desktop - http://www.serviza.com/ the argument is sorta becoming more clear.
Also, the failure of Oracle to provide even decent programmer tools is disgusting. In the Open Source world I have an arsenal of tools to work with Postgres and Mysql. Really, there is not legitimate reason to pay money for an RDBMS system. Set theory has been well-understood for decades and the major commercial RDBMS vendors are not innovating. In 15 years of software projects I've yet to see one that could not have been done with today's Mysql or Postgresql. But I've seens millions handed to Oracle over and over and tens of thousands handed to Microsoft. To me, Oracle is the premier example of selling the same thing as everyone else but charging 10 times as much. It's like buying a hotdog at the game - you're paying $5 for something that costs 50 cents. "The Million Dollar Pizza" book addresses this waste on a personal level but on a corporate level the exc.s are too busy scamming the company to worry about its long term health. Anyone buying Microsoft SQL Server or Oracle in 2007 ought to have their head examined and probably the investment docked from their paycheck. Of course momentum and other arguments apply and that's why companies still spend millions on Mainframes to do what a PDA of today could do.
My $.02,
TimJowers
Expect Freedom.
Okay, I'll give you one real example: SQL Server didn't even have ANY windowing functions until 2005, and they're still seriously crippled compared to Oracles -- even postgres as better analytical capabilities. Try doing a moving average WITHOUT a cross join -- Good luck. SQL Server is actually pretty decent -- until you start comparing it to things like Oracle and Postgres.
That mirroring features is a pain in the ass to get working for smaller shops that don't use domains. It only works on a single database at a time. Guess what.. users stored in that database are mapped to logins using SIDs, those logins don't get mirrored though..... You have to fix everything with the logins if you want to go swap over to the secondary server. It's a particular issue I'm dealing with right now. The main thing I was griping about though was the lack of analytical features compared to postgres, or even oracle. Try doing a running average without a cross join. -- Good luck.
At least somebody around here isn't a hater :)
Seriously, I'd rather use postgres than this shit -- and it's free. Recovering your server after an OS failure if the drive names change is annoying to say the least. I've had nothing but trouble with all of it. On top of that it's statistical and analytical features are pathetic.
The best part is the new Enterprise Manager replacement. Microsoft SQL Server Management Studio (say that three times fast) has a tendency to rewrite queries for saved views using their tools instead of raw SQL statements. I wrote up some _valid_ sql in the view editor and saved it and it rewrote it into a bunch of garbage that didn't work right. (This happens quite alot, aside from it changing my indentation and screwing it up so you can't read it)