In July of this year Oracle sent a vulnerability notification to it's users for the Oracle Security Alert CVE-2012-3132. At the time of the publication of the security bulletin it was noted that this exploit was not remotely exploitable. The remote capabilities, or lack thereof, in this vulnerability was called into question, with a very interesting write up on the Kaspersky Labs Security News Service. Many organizations I have worked with would initially deem this a very low risk, due to the lack of remote capabilities, so it may be time for a reassessment of the risk.
I am not on the Oracle Security newsfeeds, so if anybody has a notification from Oracle that they are permitted to share, we would love to help get the word out.
tony d0t carothers - gmail
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.