According to a report by C|NET, that latest Oracle patch released today fixed 65 bugs, 27 of which could be exploited remotely by anonymous attackers.
BE SURE TO APPLY THIS PATCH.
Let me give you DBAs a tip: patch your databases the moment Oracle releases a security patchset. Remember that your database is your career. When the words “database” and “problem” are mentioned in the same sentence…hell, the same DAY, all heads will swivel your way. Make sure that no matter what, you keep up to date.
If that little rant doesn’t do it for you, maybe this will. The patch that was just released includes a fix for a bug that Oracle noted on April 6th. When I say noted, what I mean is that they actually made a Metalink page that details how to do the exploit and hack most 9i and 10g installations of Oracle. The exploit allows you to insert, update, and delete information from base tables; meaning you can do something as simple as changing the SYS password, or something as devious as destroying the data dictionary. Did I also mention there’s no workaround for this?
Of course, they removed the Metalink article. But that didn’t stop Red Database Security from publishing an article detailing exactly how to do the hack. And just as a note, I don’t blame Mr. Kornbrust (the owner of Red Database Security) in the slightest for telling the world how to perform the hack. 1) A hack such as this should be fixed by Oracle IMMEDIATELY, and 2) If you let dangerous people get to a point where they could use this hack (a SQL prompt with a logged-in database user), you could clearly use a security audit.
Get those patches rolling!