Tuesday, August 4, 2009

Security Update for Compiler broke our demo

Timeline:
One Tuesday night (July 28)/Wednesday morning a set of patches were pushed out through Windows Update. Specifically KB973923 and KB971090 which were updates to Visual C++ Service Pack 1.

On Wednesday July 29, I set about to rebuild our NetScanTools Pro demo in anticipation of Thursday's Laura Chappell Wireshark 101 Webinar sponsorship. I've done this frequently and tested it on computers here that had the compiler. All worked well and it was posted.

On Thursday July 30, the webinar was held and a number of people downloaded the demo.

On Friday July 31, I had two people call and email about the dreaded "C:\program files\nwps\NetScanTools Pro Demo\nstpro.exe This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem." (PANIC!) A quick Google search pointed to the Side by Side (SxS) DLL linkage being wrong. After a bit of checking I saw that the MFC and Visual C Runtime DLL dependencies had changed from 8.0.50727.762 to 8.0.50727.4053 (it was in the manifest file). (FRUSTRATION!) Almost no one trying the demo will have those later SxS DLLs. I found that MS had updated the vcredist_x86.exe so I sent it to one of those people and it fixed the demo. Now I had to quickly rebuild the demo installer to include the new 8.0.50727.4053 redistributable SxS installer and post it. I did that by 5pm Pacific Time.

Bottom line: if you downloaded the demo between 5pm Wednesday July 29 and 5pm Friday July 31, you need to discard that download and redownload it today. Use the same link, that has not changed.

So here's my rant. I admit Microsoft told us they were updating some security issues with ATL, but I was using MFC and it didn't seem like it applied to us. And yes, we should have tested the demo on a computer without a compiler on it.

But Microsoft should have said:
"LISTEN UP! if you are using MFC and or Runtime DLLs dynamically linked, anything you compile from now on will need to use the new redistributable we provided or your app might break!"

Something like this needs to be in the compiler and should be shown when the compiler first loads a dynamically linked application for the first time after they make an update such as this. What's so hard about that?

Oh and they also published similar patches for the 2008 compiler. We use that too and now we know. Needless to say non-starting demo programs probably = lost business.

No comments: