Oracle JInitiator contains a critical flaw that could be exploited by an attacker to execute arbitrary code and compromise a vulnerable system.
The tool is used by developers to run Oracle Developer Server applications directly within Internet Explorer. The flaw was discovered in versions 126.96.36.199 and earlier.
The vulnerability was discovered by Will Dormann of the United States Computer Emergency Readiness Team (US-CERT).
A patch has not been released. As a workaround, Dormann advised users to disable the Oracle JInitiator ActiveX control in Internet Explorer.
"Installing a later version of the software will not remove the vulnerable version of the control," Dormann said in the advisory. "We are currently unaware of a practical solution to this problem."
Danish security firm Secunia rated the vulnerability "highly critical" in its advisory to customers.