FAQ: MS09-035 ATL Security Update For Visual Studio 2003/2005 SP1/2008 RTM/2008 SP1
1. How do I know which dll/control needs to be rebuilt?
Please check the guidelines to understand if your dll/control could be affected or not. Installing the Visual Studio ATL Security patch and rebuilding the binaries alone will not mitigate the vulnerability. You may need to make code changes as given in the document.
2. I rebuilt my application and then deployed it. The application doesn’t launch and the event viewer shows Side-by-side error to load msvcrxx.dll (xx could be 80 or 90).
You would need to install the new VS200X Redistributable:
**
For app built with VS2005 SP1 + ATL Security Package: Download Link
For app built with VS2008 RTM + ATL Security Package: Download Link
For app built with VS2008 Sp1 + ATL Security Package: Download Link
3. Can I install all the three new redistributable (refer to the Q2 for all the new redistributable available) on a single machine.
Yes. You can. The redistributable installs the necessary files in <windows>\WinSXS folder. The application will find the required runtime files it needs.
4. How is the MS09-035 Security Update pushed to the various machines (end user and developer machines):
[Developer Machine-> Which has the Visual Studio2003/2005/2008 installed.
End user-> which has the VS2003/2005/2008 redistributable installed.]
Refer to the explanation: blogs.msdn.com/vcblog/archive/2009/08/05/active-template-library-atl-security-updates.aspx#9859710
5. I see in my build machine that Visual Studio ATL Security Update is available via Microsoft Update. Will the end user machine can get the full CRT/MFC/ATL redistributable from Microsoft Update.
No. For an end user, only if he has a previous vulnerable redistributable installed on his machine, the Microsoft Update will show up to install KB973923 or KB973924. For example, if you see Microsoft Visual Studio 2005 SP1 redistributable in Add/Remove programs, then visiting the udpate.microsoft.com will show KB973923 in the list (provided Microsoft Update is enabled).
6. When trying to install the ATL Security Update for Visual Studio I get the error message “The feature you are trying to use is on a network resource that is unavailable” and asks you to point to an alternate path.
Refer to KB944298 for solution.
7. While installing Visual Studio 2008 SP1 Security Patch KB971092, I am getting following error message.
“VC Libraries QFE Patch does not apply, or is blocked by another condition on your system. Please click the link below for more details.”
This is known issue and it’s been fixed in latest patch release dates 8/3/2009. Reinstalling this latest patch should resolve this error.
8. While installing Visual Studio 2005 SP1 Security Update KB971090 on Windows 2003 Sp2, I am getting the following errors
“Product: Microsoft Visual Studio 2005 Professional Edition - ENU -- Configuration failed.
Product: Microsoft Visual Studio 2005 Professional Edition - ENU -- Error 1718.File C:\WINDOWS\Installer\78a5028.msp did not pass the digital signature check. For more information about a possible resolution for this problem, see go.microsoft.com/fwlink/?LinkId=73863.
Product: Microsoft Visual Studio 2005 Professional Edition - ENU - Update 'Security Update for Microsoft Visual Studio 2005 Team Suite - ESN (KB971090)' could not be installed. Error code 1603.
The installation of C:\WINDOWS\Installer\78a5028.msp is not permitted due to an error in software restriction policy processing. The object cannot be trusted.”
This problem occurs if the Windows Installer process has insufficient contiguous virtual memory to verify that the .msi package or the .msp package is correctly signed. Installing hotfix for KB925336 should resolve this issue.
9. After installing Visual Studio 2k8 SP1 security patch KB971092, I am getting the following
errors.
error C2039: '_Swap_adl' : is not a member of 'std' c:\program files\microsoft visual studio 9.0\vc\include\xutility 2764
error C3861: '_Swap_adl': identifier not found c:\program files\microsoft visual studio 9.0\vc\include\xutility 2764.
Installing windows SDK for server 2008 (v6.1) after VS2008 SP1 causes conflicts with this security update which eventually leads to these compiler errors. Workaround is to reinstall VS 2008 SP1 and then on top installing this security patch should resolve this issue.
More information is available at
social.msdn.microsoft.com/Forums/en-US/vcgeneral/thread/96f5d066-01cb-48c5-bba3-9df8120d06cc
If you need more help, feel free to post here or call Microsoft support.
10. My build was updated (with Visual Studio 200X ATL security update) and so was my customers machine with the ATL Security update (Kb973923/4). But then in my customer’s machine I get this error when launching:
“the application failed to start because the application configuration is incorrect’ reinstalling the application”
KB973923&KB973924 just updates the corresponding ATL libraries and it doesn’t update MFC /CRT dlls. You need to install the corresponding redist so that the new versions of CRT/MFC /ATL are available on target machine. See point 2 in this article for the links.
11. Is there any tool or software to scan if my ATL control is affected?
You could try using <codetest.verizonbusiness.com/>. Additionally you should also review your code and make necessary changes mentioned in msdn.microsoft.com/en-us/visualc/ee309358.aspx