Oracle Export Extensions - Public Exploit Code for Unpatched Vulnerability

All Oracle IT professionals and DBAs should be careful with export functions and file extensions in processing files, as noted by the CERT advisory below: 

Oracle Export Extensions - Public Exploit Code for Unpatched Vulnerability
http://www.us-cert.gov/current/current_activity.html#unpatorcle

QUOTE:  US-CERT is aware of publicly available, working exploit code for an unpatched vulnerability in Oracle Export Extensions. Successful exploitation may allow a remote attacker with some authentication credentials to execute arbitrary SQL statements with elevated privileges. This may allow an attacker to access and modify sensitive information within an Oracle database.

More information about this vulnerability can be found in the following:

• Vulnerability Note: VU#932124

• Secunia Advisory: SA19860

• Security Focus: Oracle Vulnerability Report

• Red Database Security: Oracle Exploit Report

US-CERT recommends the following actions to mitigate the security risks:

• Restrict access to Oracle:

  Only known and trusted users should be granted access to Oracle. Additionally, user accounts should be granted only those privileges needed to perform necessary tasks.

• Change login credentials for default Oracle accounts:

  Oracle creates numerous default accounts when it is installed. Upon installation, accounts that are not needed should be disabled and the login credentials for needed accounts should be changed