Oracle users have been urged to update the database patches
Oracle issued yesterday as quickly as possible, because the flaw
can be easily exploited, a database security expert has warned.
David Litchfield, founding director of
NGS Software, which is
now part of the NCC Group, said, "There is a number of issues in
this patch which are particularly dangerous. For example there is a
remote, unauthenticated attack via the Oracle Process Manager and
Notification Server that can allow an attacker to take full control
over the system on Windows or the Oracle user on a Unix-based
system."
He said a would-be attacker could use a format string
vulnerability to damage the database. "It is trivial to exploit. My
best advice to Oracle customers is to test and install this
critical update as soon as possible."
