Oracle database at risk from easy hack, warns database security expert

Oracle users have been urged to update the database patches Oracle issued yesterday as quickly as possible, because the flaw can be easily exploited, a database security expert has warned.

David Litchfield, founding director of NGS Software, which is now part of the NCC Group, said, "There is a number of issues in this patch which are particularly dangerous. For example there is a remote, unauthenticated attack via the Oracle Process Manager and Notification Server that can allow an attacker to take full control over the system on Windows or the Oracle user on a Unix-based system."

He said a would-be attacker could use a format string vulnerability to damage the database. "It is trivial to exploit. My best advice to Oracle customers is to test and install this critical update as soon as possible."