Does that headline sound fishy? Actually, Diff and Merge (WinMerge, to be exact) were my last resort in this disaster scenario. The final outcome could be told quite shortly, though this scenario serves as a good example how Murphy might hit you anytime… but first things first:
Oracle’s “Security Alert Advisory for CVE-2012-3132” issued a warning about an attack vector that once again was discovered by security expert David Litchfield. The vulnerability allows to execute SQL code with SYS privileges by using object names containing quotation marks, if the attacker
- has authorized access to the database,
- has CREATE TABLE and CREATE PROCEDURE privileges and
- is allowed to execute DBMS_STATS.
A fix for this issue was published in July 2012 but there’s also Oracle’s advisory on how to cope with the threat without patching the RDBMS. This recommendation, however, has implications when such a database is recovered or cloned: