This particular disclosure has generated an inordinate amount of correspondence from members of the research community, as well as database and security product vendors. They feel dropping this 0-day exploit was premature, and the level of detail provided in research papers (PDF) is unwarranted to promote public awareness. But Oracle has ignored issues like this in the past, which the research community states puts database users at risk, and therefore makes it feel fully justified to disclose issues of a serious nature.
Litchfield, meanwhile, says he contacted Oracle several months ago -- which should be ample opportunity to address -- and therefore would be considered responsible disclosure.
Regardless, Web application firewall vendors, database activity monitoring vendors, and assessment platform providers -- which were not included in the process -- have all been scrambling during the past couple of days to close the gap.
While the damage that can result from this exploit is catastrophic, any seasoned database professional would not allow Oracle to be deployed with the required permissions settings any more than they would leave default DBA passwords. Second, since Litchfield is leaving his present employer, this has the feel of a publicity stunt. Any time "Oracle" and "exploit" are in the same sentence, it's deemed newsworthy. Throw in the longstanding Litchfield/Oracle feud, and it's guaranteed to get attention.
Whether you agree or disagree with the details of the attack being made public, be sure to remove EXECUTE privileges from the PUBLIC role for Java packages, and you should be safe.
Adrian Lane is an analyst/CTO with Securosis LLC, an independent security consulting practice. Special to Dark Reading.