A while back Microsoft had released security bulletin MS11-025 that addressed a publicly disclosed vulnerability in certain applications built using the Microsoft Foundation Class (MFC) Library. The vulnerability could allow remote code execution if a user opens a legitimate file associated with such an affected application, and the file happened to be located in the same network folder as a specially crafted library file.
Soon after the release, we discovered some issues with the bulletin some of which we talked about here. Microsoft has just issued an update to the bulletin that addresses the previously discussed issues and a few more:
The new bulletin reoffers the update for the following products:
Please let us know if you have any questions.
Thank you Visual C++ Team
I downloaded and installed the update for VS2010 (VS10-KB2542054-x86.exe) and the target files are not updated: all the dll, cpp and lib files are still with date 18-Feb 2011.
I have VS2010 Professional with SP1 and WIndows XP + SP3.
Hi Marcello, I reported your comment and I was told that the patch does not apply to VS2010 SP1. The security fix for MFC is already included in VS2010 SP1. This is expected.
Regarding "•Executable size of some applications which link to MFC statically had grown when rebuilt using the patch. This was caused by the fact that some new code was placed in a source module whose object was not normally linked into an application that did not use MFC Feature Pack controls"
With the update or the SP1 installed I still get supersized executables ( 1500 Kb vs 200 kb with VS2008) when linking with MFC statically, even when I dont use the MFC Feature pack controls ( ie a Win32 console project with MFC support).
Re: "Patch did not install on users with Windows 7 + Windows 7 SDK on X64 architecture." I've been struggling with KB2542054 failing install. Are there any orther updates or workarounds for this issue?
What happens now with applications compiled with VS2010 SP1 on Windows 2000? I keep getting 'The procedure entry point DecodePointer coul not be located in the dynamic link library KERNEL32.dll' on the client computer running Windows 2000.
Security update for microsoft visual c ++ 2005 service pack 1 redistributable package (KB2538242) has downloaded onto my computer 7 times so far and it wants to do it again is it suppose to do that?