In this case, the security researcher that discovered the flaw chose to announce their find, along with accompanying attack code, without ever giving the database maker a chance to remedy the problem.
Here's what Eric Maurice had to say on Oracle's Global Product Security Blog:
Unfortunately, the person(s) who published this vulnerability and associated exploit codes didn't contact Oracle before publicly disclosing this issue. This means that the vulnerability was made public before providing Oracle an opportunity to develop an appropriate fix for this issue and notify its customers. In addition, the vulnerability was made public shortly after the publication of the July 15 Critical Patch Update, therefore prompting Oracle to issue an out of cycle security update.
So there you have it. Someone decided to not only dump a highly critical, remotely exploitable vulnerability on the world (and the software necessary to exploit the flaw), it also seems as if (I've no way of knowing for sure) that they cherry-picked the timing to fall right after Oracle's scheduled patch release.
That's just reckless.
Oracle has published work-around instructions here.