Oracle has decided to break its quarterly update release cycle with plans to develop a patch against a zero-day exploit.

The planned fix addresses a buffer overflow flaw in Oracle WebLogic Server which creates a means for hackers to plant malware onto targeted systems. By sending a specially-malformed HTTP POST request attackers might be able to assault vulnerable systems without needing either user names or passwords, an alert on the bug by IBM's X-force security division warns.

The planned patch will be to first to be released outside the three-monthly release cycle Oracle introduced three years ago in January 2005. Oracle criticised a decision by independent security researchers to post details of the vulnerability and exploit code before giving it the opportunity to develop a patch.

The flaw rates 10.0 out of 10 - double plus critical - according to the Common Vulnerability Scoring System (CVSS), a cross-industry scheme designed to standardise the ratings of vulnerabilities.

The vulnerability - which affected a wide variety of its enterprise software packages - was made public days after Oracle released 45 security patches as part of its summer update patch cycle on 15 July. ®

Related stories

• Oracle releases whole security blanket of patches (16 April 2009)
• Oracle discharges monster bug fix (16 October 2008)
• Oracle breaks patch cycle with emergency fix (7 August 2008)
• Cybercrooks get faster, further and sneakier (29 July 2008)
• Oracle preps summer patch cluster (11 July 2008)
• Oracle risks loss of influential BEA users (4 July 2008)
• BEA gets last laugh on Oracle app server (1 July 2008)
• Oracle patches 'sitting duck' database vulns (16 April 2008)
• Cisco hops onto patching treadmill (6 March 2008)