[PRoSToTeM@]

The bug with %s0 is located in CLocalizedStringTable::ConstructString. It checks that X in "%sX" is less or equal than the numFormatParameters, but doesn't check that X > 0.
When there is no "%sX" (but just "%s" or something else) in message then the client uses snwprintf. But snwprintf doesn't support the argument count check like ConstructString, so swnprintf can get the garbage from the stack and crash the client. So there should be used custom snwprintf implementation with argument count checking (they can copy code from CLocalizedStringTable::ConstructString and change the part of code with positional %s).