Update on Bulletin MS11-025

A while back Microsoft had released security bulletin MS11-025 that addressed a publicly disclosed vulnerability in certain applications built using the Microsoft Foundation Class (MFC) Library. The vulnerability could allow remote code execution if a user opens a legitimate file associated with such an affected application, and the file happened to be located in the same network folder as a specially crafted library file.

Soon after the release, we discovered some issues with the bulletin some of which we talked about here. Microsoft has just issued an update to the bulletin that addresses the previously discussed issues and a few more:

 

  • For International customers (with localized apps) certain parts of MFC applications resources appeared non-localized.  This was due to an incorrect resource loading operation in the MFC libraries.  Specifically, the API used (FindActCtxSectionString) requires a structure to be passed in (ACTCTX_SECTION_KEYED_DATA) whose cbSize member is already initialized.  The size was not initialized, so depending on the memory content, the API could fail.
  • Some customer’s applications were broken on Windows 2000 because of the previous patch.  This was because the fix in the patch used an API (FindActCtxSectionString) that is not supported on the Windows 2000 platform.  The new update will not be automatically offered through Microsoft Update but the affected customers can download it from the bulletin.
  • Patch did not install on users with Windows 7 + Windows 7 SDK on X64 architecture.
  • Executable size of some applications which link to MFC statically had grown when rebuilt using the patch.  This was caused by the fact that some new code was placed in a source module whose object was not normally linked into an application that did not use MFC Feature Pack controls.  When the new code was moved to a source module whose object was already being linked into a statically-linked MFC application, the extra link dependencies were eliminated and the size of the application reverted to the expected size.
  • Visual C++ 2005 SP 1 Redistributable Package revision number was smaller than the previous release.

 

The new bulletin reoffers the update for the following products:

  • Microsoft Visual Studio 2005 Service Pack 1.
  • Microsoft Visual Studio 2008 Service Pack 1.
  • Microsoft Visual Studio 2010.
  • Microsoft Visual Studio 2010 Service Pack 1.
  • Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package.
  • Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package.

 

Please let us know if you have any questions.

Thank you
Visual C++ Team