Update on Bulletin MS11-025

Update on Bulletin MS11-025

  • Comments 6

A while back Microsoft had released security bulletin MS11-025 that addressed a publicly disclosed vulnerability in certain applications built using the Microsoft Foundation Class (MFC) Library. The vulnerability could allow remote code execution if a user opens a legitimate file associated with such an affected application, and the file happened to be located in the same network folder as a specially crafted library file.

Soon after the release, we discovered some issues with the bulletin some of which we talked about here. Microsoft has just issued an update to the bulletin that addresses the previously discussed issues and a few more:

 

  • For International customers (with localized apps) certain parts of MFC applications resources appeared non-localized.  This was due to an incorrect resource loading operation in the MFC libraries.  Specifically, the API used (FindActCtxSectionString) requires a structure to be passed in (ACTCTX_SECTION_KEYED_DATA) whose cbSize member is already initialized.  The size was not initialized, so depending on the memory content, the API could fail.
  • Some customer’s applications were broken on Windows 2000 because of the previous patch.  This was because the fix in the patch used an API (FindActCtxSectionString) that is not supported on the Windows 2000 platform.  The new update will not be automatically offered through Microsoft Update but the affected customers can download it from the bulletin.
  • Patch did not install on users with Windows 7 + Windows 7 SDK on X64 architecture.
  • Executable size of some applications which link to MFC statically had grown when rebuilt using the patch.  This was caused by the fact that some new code was placed in a source module whose object was not normally linked into an application that did not use MFC Feature Pack controls.  When the new code was moved to a source module whose object was already being linked into a statically-linked MFC application, the extra link dependencies were eliminated and the size of the application reverted to the expected size.
  • Visual C++ 2005 SP 1 Redistributable Package revision number was smaller than the previous release.

 

The new bulletin reoffers the update for the following products:

  • Microsoft Visual Studio 2005 Service Pack 1.
  • Microsoft Visual Studio 2008 Service Pack 1.
  • Microsoft Visual Studio 2010.
  • Microsoft Visual Studio 2010 Service Pack 1.
  • Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package.
  • Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package.

 

Please let us know if you have any questions.

Thank you
Visual C++ Team

  • Hello

    I downloaded and installed the update for VS2010  (VS10-KB2542054-x86.exe) and the target files are not updated: all the dll, cpp and lib files are still with date 18-Feb 2011.  

    I have VS2010 Professional with SP1 and WIndows XP + SP3.

    Please advise.

  • Hi Marcello, I reported your comment and I was told that the patch does not apply to VS2010 SP1. The security fix for MFC is already included in VS2010 SP1. This is expected.

  • Hello,

    Regarding "•Executable size of some applications which link to MFC statically had grown when rebuilt using the patch.  This was caused by the fact that some new code was placed in a source module whose object was not normally linked into an application that did not use MFC Feature Pack controls"

    With the update or the SP1 installed I still get supersized executables ( 1500 Kb vs 200 kb with VS2008)  when linking with MFC statically, even when I dont use the MFC Feature pack controls ( ie a Win32 console project with MFC support).

  • Re: "Patch did not install on users with Windows 7 + Windows 7 SDK on X64 architecture."  I've been struggling with KB2542054 failing install.  Are there any orther updates or workarounds for this issue?

  • What happens now with applications compiled with VS2010 SP1 on Windows 2000? I keep getting 'The procedure entry point DecodePointer coul not be located in the dynamic link library KERNEL32.dll' on the client computer running Windows 2000.

  • Security update for microsoft visual c ++ 2005 service pack 1 redistributable package (KB2538242) has downloaded onto my computer 7 times so far and it wants to do it again is it suppose to do that?

Page 1 of 1 (6 items)