On further testing, it looks like OSX and Linux payment protocol requests with the released 0.9.0 binaries are not vulnerable.
The released Windows 0.9.0 binaries are vulnerable, so Wladimir just sent an alert message urging everybody running 0.9.0 to upgrade.
@s{quotedtext}
@s{quotedtext}
Check again; see the use of CKeyingMaterial/CPrivKey which uses a secure_allocator (which asks the operating system not to swap the memory to disk, and which zeros memory on free). If I recall correctly, the RPC importprivkey should be the only place where the normal memory allocator is used (the keys exist as ordinary hex strings in memory before they are processed by the importprivkey code).
Careful review (and testing and patches) is always welcome, of course. You shouldn't trust my famously faulty memory.