Search Results

You are browsing the search results for "oracle".

Weak of Oracle Bugs

No, not a typo. A couple weeks back, Argeniss “was proud to announce that we are starting on December the “Week of Oracle Database Bugs” (WoODB).” A couple days ago they abruptly called off the WoODB with the following message: We are sad to announce that due to many problems the Week of Oracle Database […]

Oracle Starts Using CVSS Risk Ratings

Oracle’s last quarterly critical patch update included some changes and started using CVSS to rate the severity of their vulnerabilities. Anyone that has ever tried to truly understand Oracle vulnerabilities most likely thought this would be a much needed improvement. The whole easy, difficult, wide, low, high ratings Oracle used previously made it almost impossible […]

Oracle RDBMS vs Microsoft SQL Server Introduction This paper will examine the differences between the security posture of Microsoft’s SQL Server and Oracle’s RDBMS based upon flaws reported by external security researchers and since fixed by the vendor in question. Only flaws affecting the database server software itself have been considered in compiling this data so issues that affect, for […]

For journalists covering Oracle…

2004-08-04: 34 flaws found in Oracle database software 2004-09-03: US gov and sec firms warn of critical Oracle flaws 2004-10-15: Oracle Warns of Critical Exploits 2005-01-20: Oracle Patch Fixes 23 ‘Critical’ Vulnerabilities 2005-10-19: Oracle fixes bugs with mega patch 2006-01-18: Oracle fixes pile of bugs In the interest of helping journalists cover Oracle.. perhaps they […]

Oracle: Three years and ten months without a patch

David Litchfield posted to Full-Disclosure pointing out more Oracle errata: From: David Litchfield ( To:,, Date: Tue, 15 Nov 2005 13:12:41 -0000 Subject: [Full-disclosure] Three years and ten months without a patch Whilst looking over old Oracle bugs I discovered that a fully patched Oracle server is still vulnerable to […]

“Complete failure of Oracle security response..” From: David Litchfield (davidl @ To: bugtraq @, ntbugtraq @ Date: Thu, 6 Jan 2005 16:01:26 -0000 Subject: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers Dear security community and Oracle users, Many of my customers run Oracle. Much of the U.K. Critical […]

Scary Oracle Numbers,1217,a=160368,00.asp On Security, Is Oracle the Next Microsoft? September 16, 2005 By Paul F. Roberts While [Oracle CSO Mary Ann Davidson] acknowledges that some of the criticism from Litchfield and others is valid, outsiders aren’t privy to the 75 percent of product holes that Oracle discovers and fixes internally. OSVDB has listings for roughly 330 […]

A Note on the Verizon DBIR 2016 Vulnerabilities Claims

[Updated 4/28/2016] Verizon released their yearly Data Breach Investigations Report (DBIR) and it wasn’t too long before I started getting asked about their “Vulnerabilities” section (page 13). After bringing up some highly questionable points about last year’s report regarding vulnerabilities, several people felt that the report did not stand up to scrutiny. With a few […]

A quick, factual reminder on the value and reality of a “EULA”… (aka MADness)

This post is in response to the drama the last few days, where Mary Ann Davidson posted an inflammatory blog about security researchers that send Oracle vulnerabilities while violating their End-user License Agreement (EULA… that thing you click without reading for every piece of software you install). The post was deleted promptly by Oracle, then […]

A Note on the Verizon DBIR 2015, “Incident Counting”, and VDBs

Recently, the Verizon 2015 Data Breach Investigations Report (DBIR) was released to much fanfare as usual, prompting a variety of media outlets to analyze the analysis. A few days after the release, I caught a Tweet linking to a blog from @raesene (Rory McCune) that challenged one aspect of the report. On page 16 of […]