lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 28 Nov 2006 17:00:34 -0000
From: "David Litchfield" <davidl@...software.com>
To: "Steven M. Christey" <coley@...re.org>,
	<bugtraq@...urityfocus.com>
Subject: Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?)

Hi Steven,
> For example, there appears to be distinct difference in editorial
> policy between Oracle and Microsoft in terms of publishing
> vulnerabilities that the vendors discovered themselves, instead of
> third parties.  This might produce larger numbers for Oracle, which
> appears to include internally discovered vulnerabilities in their
> advisories, whereas this is not necessarily the case for Microsoft
> [2], [3].

Oracle do not report issues they've found internally in their alerts. Every 
DBn in their alerts marries up to "public" flaws.

>  In both cases, the lack of details can mean that multiple
> issues wind up with one public identifier; for example, Oracle Vuln#
> DB01 from CPU Jul 2006 (CVE-2006-3698) might involve 10 different
> issues, and this is not an isolated case.  This can further muddy the
> waters.

...which is why I broke every actual flaw down in the document. For example 
the following flaws are all covered by CVE-2002-0154

xp_proxiedmetadata overflow CAN-2002-0154 MS02-020
xp_mergelineages overflow CAN-2002-0154 MS02-020
xp_controlqueueservice overflow CAN-2002-0154 MS02-020
xp_createprivatequeue overflow CAN-2002-0154 MS02-020
xp_createqueue overflow CAN-2002-0154 MS02-020
xp_decodequeuecmd overflow CAN-2002-0154 MS02-020
xp_deleteprivatequeue overflow CAN-2002-0154 MS02-020
xp_deletequeue overflow CAN-2002-0154 MS02-020
xp_displayqueuemesgs overflow CAN-2002-0154 MS02-020
xp_oledbinfo overflow CAN-2002-0154 MS02-020
xp_readpkfromqueue overflow CAN-2002-0154 MS02-020
xp_readpkfromvarbin overflow CAN-2002-0154 MS02-020
xp_repl_encrypt overflow CAN-2002-0154 MS02-020
xp_resetqueue overflow CAN-2002-0154 MS02-020
xp_unpackcab overflow CAN-2002-0154 MS02-020

If someone is willing to sit down and do the research the details are "out 
there" and in a paper such as the comparison it was imperative to have these 
details.
Cheers,
David Litchfield

Powered by blists - more mailing lists