"A new moderately critical vulnerability has been reported that affects two application programming interfaces (APIs) used in Windows XP. The flaw is in the MFC42 and MFC71 libraries that together handle searches across the Windows file system. These interfaces are used by applications that were developed using the Microsoft Foundation Classes libraries, an older set of object-oriented tools that predate .NET.
The bug is a standard buffer overflow problem, where the function FindFile allocates memory for a buffer, then stores the contents of the first argument for the FindFile function in this buffer without checking to see if the argument actually fits inside the allocated memory space. A malicious document opened in one of these applications could call the the function and overflow the buffer, potentially allowing arbitrary code to be executed. "