/////////////////////////////////////////////// 原文 ////////////////////////////////////////////
After installing KB971090 for Visual C++ 2005 SP1, the version of ATL/MFC/CRT referenced in the generated manifests is changed from 8.0.50727.762 to 8.0.50727.4053
The above change forces the application developer to rebuild all components to reference the 4053 version of the versions of ATL/MFC/CRT in the manifest, as well as making it necessary to ship a new vcredist_x86.exe and/or MSM files containing the new 4053 versions of ATL/MFC/CRT.
Instead of uninstalling the KB971090 update, we can force the build to use the 8.0.50727.762 version instead of the default which is 8.0.50727.4053. Microsoft provides a mechanism to specify the assembly version number to use in the manifests.
Steps to take to allow your applications to reference 8.0.50727.762 instead of 8.0.50727.4053
1) Create a file named targetsxs.h with the following content and put it in a common location
#ifndef __midl
#define _SXS_ASSEMBLY_VERSION "8.0.50727.762"
#ifdef __cplusplus
extern "C" {
__declspec(selectany) int _forceCRTManifest;
__declspec(selectany) int _forceMFCManifest;
__declspec(selectany) int _forceAtlDllManifest;
__declspec(selectany) int _forceCRTManifestRTM;
__declspec(selectany) int _forceMFCManifestRTM;
__declspec(selectany) int _forceAtlDllManifestRTM;
#ifdef __cplusplus
2) The above file needs to be included in every project you wish to build.
Accomplish this in one of two ways. The first method involves the changing of source code. The second involves changing of project settings.
choose A or B which ever one is more appropriate for your situation:
A) #include "targetsxs.h" near the top of every one of your stdafx.h files
(using the path you saved the targetsxs.h)
B) Use the force include (/FI) compile option to make sure that the above file is included in every file built. To accomplish that, add the following command line to your compiler options
(where c:\path is the location of the targetsxs.h you created in step 1)
There are two methods to accomplish that: either directly in your project or through a compiler environment variable:
Method i)
Add the above to the command line section of the C/C++ project properties.
Method ii)
Create an environment variable named CL with the above-mentioned /FI statement
Method (ii) is more convenient to use when you have dozens of projects that you do not wish to make changes to, but may conflict with other work you do on your machine.
3) For every MFC DLL project in your solution add the following line to the bottom of the stdafx.cpp file
#include "..\src\mfc\dllmodul.cpp"
Step three is only necessary if you have any MFC DLL projects (this step is necessary due to a bug in the handling of the assembly versions in MFC DLLs – the bug is that a reference to the latest version of the DLLs will always be included regardless of what is set in step 1)
4) Do a rebuild all of all the projects in your solution
5) Inspect manifest files (by doing a find in files for *.intermediate.manifest) to ensure that 4053 no longer appears in any of the manifests.
6) Run your app on a machine that has no 4053 components installed to WinSxS to make sure runs properly.
IMPORTANT NOTE: if you have ATL controls that are affected by this security problem please ensure you have followed the directions to modify your controls to take advantage of the security updates. A simple recompile may not be enough. For more info please see the video at:
Does referencing 762 instead of 4053 make your application less secure?
No. Microsoft provides WinSxS policy redirection, so any application referencing 762 will end up loading the 4053 versions (if they’re installed). The ATL security update redistributable has been released as an update on Windows Update, so the 4053 version of ATL will be in place, and will be used even though your app still references the 762 version of ATL.
*Important note: you should still ship the new version of the redistributable if at all possible, as users may have not updated using Windows Update.
What are the benefits to referencing 762 instead of 4053 in your SP1 applications?
1) If you have existing applications shipped and you need to rebuild any components shipped, then new MSM or vcredist_x86.exe containing 4053 versions do not need to be shipped. You can continue to ship existing components with 762 versions.
2) If you have existing third party static libraries that reference 762, then you need not rebuild them to reference 4053.
Does VC2008 SP1 security update have a similar issue?
Yes, it does, if you use _BIND_TO_CURRENT_VCLIBS_VERSION in your project. It will bind to the security update version instead of the SP1 version. You can use a similar technique as described above (step 3 is not required) to get around this problem.
For VC2008 SP1 the values for the current versions of the CRT/MFC/ATL have changed slightly, instead of _forceCRTManifest, you should use _forceCRTManifestCUR. The same thing applies for MFC/ATL (add the CUR). And of course, the version numbers you’re dealing with are different: SP1 9.0.30729.1 vs the new SP1+security update which is 9.0.30729.4148
///////////////////////////////////////// 译文 /////////////////////////////////////////
在安装了Visual C++ 2005 SP1的KB971090安全更新后,VC生成的manifest中引用的ATL/MFC/CRT库的版本从8.0.50727.762变成了8.0.50727.4053。
1) 创建一个名为targetsxs.h的头文件,填入下面的内容,保存在某个固定目录下。
#ifndef __midl
#define _SXS_ASSEMBLY_VERSION "8.0.50727.762"
#ifdef __cplusplus
extern "C" {
__declspec(selectany) int _forceCRTManifest;
__declspec(selectany) int _forceMFCManifest;
__declspec(selectany) int _forceAtlDllManifest;
__declspec(selectany) int _forceCRTManifestRTM;
__declspec(selectany) int _forceMFCManifestRTM;
__declspec(selectany) int _forceAtlDllManifestRTM;
#ifdef __cplusplus
2) 你需要在每个你希望编译的项目中包含上面的头文件。
A) 在你的每一个stdafx.h头文件的头部包含"targetsxs.h"头文件
B) 强制使用(/FI)编译选项来保证每个文件编译时都包含上面的头文件(targetsxs.h)。为了达到这个目的,你可以在你的编译器选项中添加如下的命令行
3) 对于你项目清单中的每个MFC DLL工程,你需要在stdafx.cpp文件的底部添加下面一行代码
#include "..\src\mfc\dllmodul.cpp"
只有当你使用了MFC DLL工程的时候,这一步才是必需的(之所以是必需的是因为在MFC DLL中处理汇编代码(assembly versions)时的一个Bug - 如果没有包含dllmodul.cpp的话,步骤一设置的东西就不会被包含而编译器会始终引用最新版本的DLL)。
4) 编译你的项目清单中的所有工程。
5) 检查manifeset文件(就是编译器生成的那些*.intermediate.manifest文件)以确保4053不会出现在任何manifest文件中。
6) 在一台没有安装4053版本WinSxS组件机器上运行你的应用程序来验证它可以正常运行。
不会。微软提供了一种WinSxS重定位策略,所以任何引用到762版本ATL的应用程序都最终会应用到4053版本(如果你安装了它们的话)。这个ATL安全更新已经作为Window Update的更新发布了,所以一旦你保持了与Window Update同步的更新,那么你就已经准备好使用4053版本的ATL了,即使你的应用程序仍然引用了762版本的ATL,你最终还是会使用4053版本的ATL。
*重要提示:如果可能的话,你最好还是把最新版本的分发包随你的应用程序一起发布,因为用户有可能并不会使用Window Update来更新最新的组件。
1) 如果你有一些应用程序已经发布了但是必须重新编译某些已经发布出去的组件,那么你就不用再发布新的MSM或者包含4053版本的vcrdist_x86.exe了。你可以继续使用762版本来发布现有的组件。
2) 如果你有使用引用到762版本的第三方静态库的话,你也不需要将它们重新编译到4053版本。
3.VC2008 SP1安全更新是否有同样的问题呢?
对于VC2008 SP1,CRT/MFC/ATL的当前版本号有些许变化,你应该使用_forceCRTManifestCUR来代替_forceCRTManifest。对于MFC/ATL也必须使用同样的设置(添加CUR)。当然,此时你所面对的版本号也是不同的:SP1是9.0.30729.1,而最新的SP1+安全更新则是9.0.30729.4148。