Hence as part of its setup Avast is making the system vulnerable to remote code execution.
No, I don't think so.
A few comments:
- the ATL DLL itself is not "vulnerable", but only any application that uses certain part of the library. When we install the library, there's presumably no app using it on the system
- avast itself doesn't use the ATL feature and so is not affected
- the DLLs are versioned, i.e. the installer never overwrites a newer version
- the reason why we currently don't ship the new package is that it's broken. Namely, the new package completely breaks support for Windows 2000.
Thanks
Vlk