RE: [vonage.com #25400427] RE: How Visual Studio Makes Your Applications Vulnerable to Binary Planting

["Mitja Kolsek" <mitja.kolsek () acros si>]

Hi Michael,

Indeed, MFC is the culprit. We were aware of Visual Studio as a typical environment
for building MFC apps, and MFC is an integral part of it. Presumably other ways of
building MFC apps will result in vulnerable builds too, but we noticed that older
some versions of MFC libraries were not vulnerable.

Thanks for broadening the view.

Mitja

Mitja Kolsek
CEO&CTO

ACROS, d.o.o.
Makedonska ulica 113
SI - 2000 Maribor, Slovenia
tel: +386 2 3000 280
fax: +386 2 3000 282
web: http://www.acrossecurity.com

ACROS Security: Finding Your Digital Vulnerabilities Before Others Do
 

> -----Original Message-----
> From: devnull () vonage com [mailto:devnull () vonage com] 
> Sent: Tuesday, October 26, 2010 7:22 PM
> To: security () acrossecurity com
> Subject: [vonage.com #25400427] RE: How Visual Studio Makes 
> Your Applications Vulnerable to Binary Planting 
>
> Unless I misread the description, this is an error in MFC, 
> not in Visual Studio.
>
> Applications built using MFC and command-line tools would be 
> equally vulnerable; non-MFC applications built using Visual 
> Studio would not be (via this vector - obviously they could 
> be vulnerable to binary planting through other vectors).
>
> Plenty of developers use Visual Studio to create non-MFC applications.
> And at least a few of us use Microsoft toolchains and 
> libraries without the enormous pile of VS overhead. (Whether 
> there's anyone in the latter group who uses MFC is another question.)
>
> --
> Michael Wojcik
> Principal Software Systems Developer, Micro Focus