No doubt you’ve seen that message even if you don’t make a habit of reading descriptions on all the updates queuing for your system. What makes this one – KB973675 – particularly unexpected is that it is a Visual Studio vulnerability.
Visual Studio is Microsoft’s primary software development environment. It is used to write computer programs in languages like C++, C#, Visual Basic.NET and others.
While it is not uncommon to learn of exploitable vulnerabilities in mail and web servers or other products that are generally exposed to the Internet – like web browsers – it is definitely not common to be told you are putting your system at risk by running a development environment.
The update addresses Microsoft security bulletin MS09-035 with a threat risk of moderate.
It turns out the offending portion is not actually Visual Studio itself – so, no, merely firing up Visual Studio hasn’t become a risky proposition.
Actually, the real problem is worse. The vulnerability is within the Active Template Library (ATL) which is a redistributable package accompanying Visual Studio versions from 2003 through 2005 and 2008.
Programs built within Visual Studio that make use of ATL functionality are all infected with the flaw. Like a river, these programs have been distributed out to computers worldwide. Consequently, while the update is labelled as being for Visual Studio the vulnerability exists in legions of “CorporateApp1” style programs on a desktop near you.
Fortunately, the update may be applied to any Windows-based computer irrespective of whether Visual Studio is installed or not. Enterprise administrators or home users may wish to install this update manually or via using the Microsoft Update service.