lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <041501c7138f$775ad100$4001a8c0@ngssoftware.com>
Date: Wed, 29 Nov 2006 08:22:09 -0000
From: "David Litchfield" <davidl@...software.com>
To: "Shawn Fitzgerald" <sargon97@...il.com>,
	<bugtraq@...urityfocus.com>
Subject: Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?)

Hi Shawn,
>> Oracle do not report issues they've found internally in their alerts. 
>> Every
>> DBn in their alerts marries up to "public" flaws.

> Not that I disagree (or know for that matter) but at
> blogs.oracle.com/security/ they state that they, "Disclose the existence 
> of
> vulnerabilities once cured, even if they are discovered internally."
>
> Maybe someone should leave a comment correcting them or better yet invite
> them to discuss some of the issues brought up on this list.

Ah, the wonders of Oracle Spin Blog. When Oracle issue an alert they credit 
a number of external security researchers. Some of these researchers don't 
post their own advisories for the flaws that they've reported but others do. 
When you marry up the advisories of those that do to the vulnerabilities 
listed in the Risk Matrix in the Oracle alert you're left with only a few 
"unexplained" entries. So either these were found internally by Oracle or 
they were found by the researchers that don't publish advisories. Now, when 
Mary Ann Davidson, the Oracle CSO, has gone on record as saying that they 
find more than 75% of significant issues internally (bottom of section 3 
here - 
http://news.com.com/When+security+researchers+become+the+problem/2010-1071_3-5807074.html) 
wer'e left in a situation where the numbers just don't stack up. Either they 
don't publish internal finds (which leaves Mary's statement intact) or they 
do publish internal finds which destroys Mary's statement. There is of 
course the possibility that external researchers are reporting issues that 
have already been found internally - which would leave both statements 
intact. However, when I report a new issue to Oracle they way in which they 
respond indicates whether you've found a new issue or a duplicate. It's not 
very often you get a duplicate so we're still left with the contradiction. 
Either way this contradiction means that someone at Oracle is lying. The 
problem with spin is that it leaves you dizzy and you might just end up on 
your butt.

Cheers,
David

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ