Microsoft's out of band patch for Visual Studio (MS09-035) is a classic example of how much can go awry when shared library security vulnerabilities are discovered. OSIsoft announced affected products in a 3-Aug-2009 technical support security alert.
Active Template Library is a relatively mature technology for unmanaged code and often used in development of ActiveX and COM based projects. The ATL moniker is better known to frequent fliers as Hartsfield International; but like air travel it's not always obvious if your flight depends on ATL. The same is true in context of the MS09-035 defects.
Because defects can involve ATL methods that are statically linked by Visual Studio, we need to do more than typical Microsoft Patch compatibility testing. The process to check if code is affected by the ATL vulnerabilities is described on MSDN.
The remedial steps for MS09-035 require ISVs patch Visual Studio, then build and distribute a new version (CERT's vendor notification specifically requested such a response). Of course, end users need to apply the upgrade; in some cases this might be more than a patch. This is the captain speaking... I'm sorry to report bad weather in ATLANTA; our service agents are working to arrange alternate flights. Again we're sorry for this delay.
Microsoft published an interesting blog entry describing the Security Development Lifecycle in context of MS09-035. Out of millions of lines of code it never ceases to amaze me how many issues boil down to a single byte. Anyway, for all of you developing value added products for the PI infrastructure, please apply the Visual Studio patch.
Since this issue could also be hidden in 3rd party components it's appropriate to review your software supply chain. Embedded software and ‘Giblets' are especially onerous problems. What if the fix is a major version upgrade or otherwise results in cascading upgrades with problems involving supported platforms? Software lifecycle and patching can be a complex issue. Our preliminary findings are just that; it will take more time to fully understand the scope and remedial plan for the Active Template Library vulnerabilities.
I do want to take this opportunity to confirm the PI-SDK has been reviewed and is *NOT* affected by the ATL defect.