Last October our company reported that Microsoft Visual Studio 2010 and 2008 (we didn't test 2005) injected an easily exploitable binary planting vulnerability into every MFC (Microsoft Foundation Class) application built with these development environments - and also into any other application using the Visual C++ redistributable libraries. The number of affected applications was, and still is, potentially pretty high: out of just over 200 applications we tested in our binary planting research project, thirteen (~ 6%) were found to be suffering from this flaw (some of them also had, or still have, other binary planting issues).
These are the "dirty thirteen" we found, although keep in mind that the "dirty" part is not their developers' fault. Also note that while some of these products may have had subsequent updates and versions, these are likely to be vulnerable as well unless they were substantially re-coded as non-MFC applications.
- Autodesk 3ds Max 2010 Release 12.0
- Autodesk 3ds Max 2011 Release 13.0
- Avast! Free Antivirus 5.0.545
- Avira Premium Security Suite 10.0.0.542
- BitDefender Total Security 2010 - Build 188.8.131.523
- CorelDraw X5 184.108.40.2068
- Corel Paint Shop Pro Photo X3 220.127.116.11
- CyberLink PowerDirector 8.00.2220
- EMC QuickScan Pro Demo 4.7.0 (build 8554)
- EMC ApplicationXtender Document Manager v18.104.22.168
- Microsoft Office Professional 2010 14.0.4760.1000 (32-bit)
- Nuance PDF Converter Professional 6.0
- PC Security Shield Security Shield 2010 22.214.171.1243
This week Microsoft finally fixed this bug in Visual C++ redistributable packages (apparently, version 2005 was vulnerable too). Now, does this fix magically make things right for end-users? Not entirely. If you're using a vulnerable product that dynamically loads the Visual C++ redistributable package, installing the correct security update(s) will resolve the problem and remove the vulnerability. All of the above listed applications will, for example, be fixed. However, MFC applications that statically link the MFC libraries effectively integrate these in their executables and do not use the (now fixed) redistributable libraries. Such applications will have to be re-built in (updated) Visual Studio and redistributed to end-users.
- Users should apply the security updates for Visual C++ redistributable packages
- Visual Studio Developers should apply the applicable security updates and re-build MFC applications that statically link MFC libraries (and obviously, distribute the new build to end users).