While this specific patch fixes a buffer overflow, and thus prevents malicious code execution, programmers must still be careful. Patched or not, sprintf can still be used as the basis of a denial-of-service attack. It will create huge, memory-eating blocks of data if passed malicious format strings from an attacker. It's best if no unchecked data from outside sources get passed to sprintf, either directly or through a function such as syslog.
For further information, or information about The Perl Foundation, please email pr at perlfoundation.org.
When can we expect a patch for windows 2003?
The patches are already available on the CPAN if you build from source. If you're using ActiveState's builds, that's something to direct to ActiveState.