Oracle users have been urged to update the database patches Oracle issued yesterday as quickly as possible, because the flaw can be easily exploited, a database security expert has warned.
David Litchfield, founding director of NGS Software, which is now part of the NCC Group, said, "There is a number of issues in this patch which are particularly dangerous. For example there is a remote, unauthenticated attack via the Oracle Process Manager and Notification Server that can allow an attacker to take full control over the system on Windows or the Oracle user on a Unix-based system."
He said a would-be attacker could use a format string vulnerability to damage the database. "It is trivial to exploit. My best advice to Oracle customers is to test and install this critical update as soon as possible."