Last Tuesday, Microsoft released atypical, out-of-band security updates for vulnerabilities in ATL. Michael Howard discusses them on the Security Development Lifecycle blog. The security update page contains links to patches and upgrades for affected Visual Studio components, going back to Visual Studio .NET 2003. If you’re using Visual Studio 2008 SP1, you’ll be interested in the following:
- Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package ATL Security Update, which contains upgrades for the Visual C++ runtime assemblies. There are three, one for each platform (x86, x64, and IA64), each under 5MB.
- Visual Studio 2008 Service Pack 1 ATL Security Update, which contains a 365MB patch for SP1.
- Wait.
- 365MB? As in megabytes?
- Oh yes.
I’m downloading this once and sharing it on my network rather than downloading it from Microsoft Update n times.
The VS2008SP1 security update appears to be a cumulative update that includes KB962219 and KB958357 – though it would be good if Microsoft confirmed that these fixes are included in KB971092.