Microsoft released two out of band patches today. MS09-034 resolves an issue that crept up as a zero-day threat just before Patch Tuesday a few weeks back. And apparently in trying to fix that vulnerability either 1) a light bulb went off somewhere or 2) someone showed them the light, because the bonus patch was MS09-035 affecting a component of Visual Studio products, the Active Template Library (ATL). These are absolutely critical vulnerabilities, potentially worse than Conficker/Downadup and MS08-067.
Why are these so dangerous? MS09-034 was a zero-day release, meaning it was being exploited in the wild before the vulnerability had been disclosed publicly. Zero-days are dangerous depending on the availability and ease of exploit. In this case, it’s a critical vulnerability. I’d rush to get it out on any system that hits the web. But MS09-035 has potentially far reaching implications. I’m still searching out information, but there are already indications that the ATL vulnerability may effect a fair number of 3rd party applications. In other words, the ripple effect of this one may last a long time.