Microsoft beats Oracle in security showdown

A new report ranks Microsoft SQL Server 2000 service pack 4 as the most secure database in the market

Microsoft is beating Oracle hands down with the security of its database, according to a new report. 

David Litchfield, a security researcher with NGS Software, published a whitepaper entitled Which database is more secure? Oracle vs. Microsoft (PDF download) on 21 November comparing the number of software vulnerabilities patched by both vendors in their respective products in the past six years. 

Microsoft patched 59 vulnerabilities in its SQL Server 7, 2000 and 2005 databases during the period, while Oracle issued 233 patches for software flaws in its Oracle 8, 9 and 10g databases.

The research also pointed out that Microsoft has not issued a single security bulletin for its databases since mid-2003, whereas Oracle has seen a spike in patches in recent years.

Litchfield ranked Microsoft SQL Server 2000 service pack 4 as the most secure database in the market, together with the PostgreSQL open source project. He ranked Oracle's 10g database at the bottom. 

"It will take me five minutes to find a new bug in the Oracle 10g database, but I cannot do that with SQL Server 2005," Litchfield told vnunet.com in an interview. 

Litchfield claims to have reported 49 vulnerabilities to Oracle that the company has yet to patch.

Other researchers are sitting on dozens of so-called zero-day vulnerabilities, including security firm Argeniss which plans to have a Week of Oracle Database Bugs in December to demonstrate the vendor's poor security record. 

Litchfield's report deals another blow to Oracle. Analyst firm Enterprise Strategy Group (ESG) published a research note earlier this month blasting Oracle's security record, drawing largely the same conclusions.

The ESG report, Microsoft SQL Server Runs the Security Table, (PDF download) attracted criticism, however, prompting Litchfield to publish his whitepaper.

Litchfield's whitepaper also drew some criticism, however. Alexander Kornbrust, chief executive at Red Database Security, said on the Full Disclosure security mailing list that the comparison between the Oracle and Microsoft products is unfair. 

Oracle has far more features providing attackers with more places to target, according to Kornbrust.

Litchfield countered that Oracle should have mitigated that risk by not installing all components by default.

Oracle chief executive Larry Ellison is known to pick on Microsoft for the poor security record of Windows. Oracle launched a marketing campaign in 2001 that labeled the company's database as "unbreakable".

Litchfield responded to Oracle's boast by demonstrating a serious vulnerability that could allow attackers to take control of servers running the database.

Oracle has moved away from the "unbreakable" label in recent years, but revived the claim in October to describe its Red Hat Linux support offering. 

Oracle's security model has failed to keep up with the evolution in security threats, alleged Litchfield. The company also needs to update its scanning tools, he recommended.

"It is going to take a younger, more dynamic team. Oracle's people are too much rooted in the Department of Defense standards that are not as secure are they once were," he said.

Oracle's database is suffering from a large number of SQL injection vulnerabilities that can be easily exploited through the web.

SQL injection attacks occur when attackers execute commands or queries by e ntering special code into online forms, thereby tricking the database to expose confidential data.

Litchfield said that the database was especially vulnerable to so-called second order SQL injection flaws. Exploits for such a flaw involve a two-step process in which attackers first enter seemingly harmless information into the database.

But when the data is used in a second query at a later time, it will cause the payload to execute. Oracle did not respond to multiple requests for comment.