Avast 6.0.1091 installs vulnerable Visual C++ 2008 SP1

Avast (6.0.1091, released 18 April 2011) as part of its setup installs Visual C++ 2008 SP1.

The version Avast installs is:
Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package ATL Security Update
MS09-035 KB973544 (file version 9.0.30729.4148)

However on this month’s patch Tuesday (12th April), Microsoft released:
Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package MFC Security Update
MS11-025 KB2467174 (file version 9.0.30729.5570)

Hence as part of its setup Avast is making the system vulnerable to remote code execution.

No, I don’t think so.

A few comments:

  • the ATL DLL itself is not “vulnerable”, but only any application that uses certain part of the library. When we install the library, there’s presumably no app using it on the system

  • avast itself doesn’t use the ATL feature and so is not affected

  • the DLLs are versioned, i.e. the installer never overwrites a newer version

  • the reason why we currently don’t ship the new package is that it’s broken. Namely, the new package completely breaks support for Windows 2000.

Thanks
Vlk

Thanks for the extensive reply, further reading based on the information you provided indicates that breaking Windows 2000 is merely the most serious of several problems with the latest Visual C++ updates.

Also, thanks for continuing to support Windows 2000, I run W2K virtual machines under Linux and x64 Windows where its relatively low system requirements make it a good choice for running those old programs that don’t behave properly under more modern operating systems.