Hi Michael, Indeed, MFC is the culprit. We were aware of Visual Studio as a typical environment for building MFC apps, and MFC is an integral part of it. Presumably other ways of building MFC apps will result in vulnerable builds too, but we noticed that older some versions of MFC libraries were not vulnerable. Thanks for broadening the view. Mitja Mitja Kolsek CEO&CTO ACROS, d.o.o. Makedonska ulica 113 SI - 2000 Maribor, Slovenia tel: +386 2 3000 280 fax: +386 2 3000 282 web: http://www.acrossecurity.com ACROS Security: Finding Your Digital Vulnerabilities Before Others Do > -----Original Message----- > From: devnull@xxxxxxxxxx [mailto:devnull@xxxxxxxxxx] > Sent: Tuesday, October 26, 2010 7:22 PM > To: security@xxxxxxxxxxxxxxxxx > Subject: [vonage.com #25400427] RE: How Visual Studio Makes > Your Applications Vulnerable to Binary Planting > > Unless I misread the description, this is an error in MFC, > not in Visual Studio. > > Applications built using MFC and command-line tools would be > equally vulnerable; non-MFC applications built using Visual > Studio would not be (via this vector - obviously they could > be vulnerable to binary planting through other vectors). > > Plenty of developers use Visual Studio to create non-MFC applications. > And at least a few of us use Microsoft toolchains and > libraries without the enormous pile of VS overhead. (Whether > there's anyone in the latter group who uses MFC is another question.) > > -- > Michael Wojcik > Principal Software Systems Developer, Micro Focus > > >
