Oracle and Symantec Threat Report: Bad Counting?
Usually, I am not in the position to defend Oracle on the number of vulnerabilities fixed, but the recent Symantec Internet Security Threat Report inflated the vulnerability count for Oracle by comparing apples and oranges. This version of the Threat Report contains a comparison of the number of vulnerabilities found in five leading relational databases (Oracle, IBM DB2, Microsoft SQL Server, MySQL, and PostgreSQL). Oracle looks really bad with 168 vulnerabilities published during the second half of 2006 as compared to 5 for IBM DB2 and 0 for Microsoft SQL Server during the same period. I am not here to defend Oracle as the true number is way more than 5, however, it is far less than 168 when only comparing database vulnerabilities to database vulnerabilities.
Our internal count puts the Oracle Database-only published vulnerability count for the second half of 2006 at 49. In the most limited installation of the Oracle RDBMS without any optional products, the number of vulnerabilities would be about 20. The Symantec report does address the feature issue by saying -
"Oracle’s database implementations offer a greater feature set and a broader range of database products than many of the other database vendors. The more features an application has, the more code that is available in which to find vulnerabilities, and the more code that must be audited for vulnerabilities. This can equate to a higher proportion of vulnerabilities, depending on the nature and complexity of the features."
What I find interesting is that Symantec appears to have been able to filter IBM WebSphere and other IBM products from the IBM DB2 count, but did not do the same for Oracle (based on a quick search of NVD).