Today saw Microsoft release an out of band update for Visual Studio correcting a vulnerability in the Active Template Library. Any control which has been compiled with previous versions of ATL may allow remote code execution and must be recompiled and a corrected version distributed as soon as possible. This vulnerability affects Visual Studio 2003, 2005 and 2008. Microsoft have a dedicated page to the problem on the Microsoft Security site.
The Security Research and Defense blog also has an overview of the release along with a great list of further resources: MS09-034: Internet Explorer bulletin MS09-035: Visual Studio bulletin Security Advisory (KB973882) Resource article, Active Template Library security update and developers SRD blog, ATL vulnerability developer deep dive SRD blog, Internet Explorer Mitigations for ATL Data Stream Vulnerabilities SRD blog, MSVIDCTL (MS09-032) and the ATL vulnerability SRD blog, Overview of the out-of-band release (this blog post) SDL blog, ATL, MS09-035 and the SDL MSRC blog, Advisory and Bulletins Released BlueHat blog, Security researcher perspective EcoStrat blog, Threat Complexity Requires New Levels of Collaboration Channel 9 video, "Inside the ATL Security Update" developer guidance.
Consumers should install the patch delivered with MS09-034 to protect themselves. It will be delivered automatically to your computer if you have automatic updates turned on - if you don’t have them turned on or you’re not sure Microsoft provide instructions on how to configure automatic updates.
If you’re a developer you have a lot of reading ahead. If your company has shipped a control which you cannot fix, or whose lifetime has long since passed then please consider contacting the SRD folks so they can issue a kill-bit and disable your control for end-users. You can find the email address at the end of the SRD blog post.