Contrary to what Oracle likes to advertise in its marketing spin, the company's database is far from secure. The Central Intelligence Agency (CIA) might have been the application's first user, but these days the software is flooded with SQL injection flaws.

Contrary to Windows however, the flaws in Oracle remain largely invisible to the outside world. After all, few people have Oracle running on their desktop computers and we haven't seen any large scale worm attacks targeting Oracle databases. To the extent that attackers are targeting Oracle databases, they do so in targeted attacks to steal customer data or conduct industrial espionage.

22 Nov 2006

So how do you make sure that the world finds out about Oracle's horrible security record?

By comparing the new devil with the old one, security researcher David Litchfield decided. Earlier today he published a whitepaper that drew a crystal clear picture. Around the same time that Microsoft succeeded to curb its security problems in SQL Server, Oracle completely lost control and saw the number of security vulnerability skyrocket.

Another researcher plans to have a "week of 0-day Oracle Database bugs" in an effort to draw the public's attention to the issue.

Larry Ellison in 2001 unwrapped a marketing programme that claimed that his database was "unbreakable", but reality has long since unveiled the hollowness behind the hype. Last month he dusted off the slogan once more, this time to market Oracle's support for Red Hat Linux.

If that's what Oracle's "unbreakable" respresents, Red Hat has nothing to worry about.

technorati tags: oracle, security, david+litchfield,