A proof of concept Oracle worm has been posted to the Full Disclousre list.
The usual course of events is like this:
1. researcher discovers vulnerability
2. researcher tells software company
3. software company issues patch
4. users do nothing
5. Proof of Concept code posted
6. users do nothiing
7. Scanning for vulnerable machines starts
8. targeted attacks start
9. users do nothing
10. worm is released
11. all hell breaks out
12. users patch
So we are at step 5. Proof of Concept stage. A worm could appear any minute. Or not.
What is the potential danger? I remember the SQL Server bugs and the lead up to January 25, 2003, the infamous arrival of SQL Slammer. The wisdom of the day was "Who exposes their SQL Servers to the Internet?". The same goes for Oracle servers. You would be negligent if you allowed access to your big expensive, mission critical, databases from the Internet.
How many Oracle servers are exposed? We are going to find out, aren't we?