Oracle Ships Delayed Patch

Oracle probably worried some database advisers last week when it released its Critical Patch Update, but neglected its most critical database flaw of the quarter for 9.2.0.8 users on the Windows platform. Now, the database vendor has made good on its promise of an interim update.

The quarterly release on April 17 omitted a fix for a known flaw for users running the Windows operating system. At the time, Oracle said this fix would come on April 30, but now it looks like Oracle has found a way to get the patch out.

That flaw, known as DB01, is in the Core relational database management system (RDBMS) used by Oracle's database. It can be remotely exploited over the network and unlike most of the database flaws, an attacker does not need to have authentication rights to the database to exploit the problem.

Oracle's Eric Maurice made the announcement on Friday afternoon.

It turns out that security researcher David Litchfield first discussed this flaw in November 2005. After Oracle released its Critical Patch Update last week, he published this research note, discussing this and a few other flaws that were patched this month. Litchfield, managing director of Next Generation Security Software, says he first reported the bug to Oracle in 2002.