According to MS Q326568:

"If the user had installed Visual FoxPro 6.0 (or had installed a product that includes the Visual FoxPro 6.0 runtime), and the file name of the application was constructed in a particular way, the application would run. This would enable the application to not only interrogate databases, but also issue system commands in the user's security context."

Alan

>>If I patch my dev copy of VFP6, then create a distribution for an app which includes VFP6 runtime, will users who install my app be protected or vulnerable?
>
>Hi Al,
>
>It's my hunch that the flaw requires the developer version of VFP on a machine. So, if your clients only have the runtime dlls, then there's no problem. Then there will be no mechanism that automatically starts an APP. And if some of your clients have the dev-version (too), and if it's not there due/thanks to you, then there's also no problem, formally spoken. Although you might want to confront those persons with the link of the MS-webpage, as a service.