Hi John. In doing some testing, it appears that if you reinstall the VFP runtime after installing the patch, the vulnerability is back. Am I correct in assuming that you need to reinstall the patch every time you reinstall the VFP runtime (or, more specifically, any app that includes the VFP runtime)?

Thanks,
Jonathan

>Hi Armin,
>
>Essentially, you are correct.
>
>Some more information:
>
>

VFP 3 and 5 installations and distributed apps are unaffected.

>

VFP6 installations and apps are safe if a VFP7 product or app were installed after2wards.

>

If in doubt, apply the patch. It won't negatively affect situations where it's not needed.

>
>FYI, I was the tester for this issue and I figured out the patch. If you or anyone else in this thread has concerns or questions, feel free to email me at jkoziol@microsoft.com.
>>
>>PMFJI, but I thought you and John might find this interesting ...
>>
>>I've had a look in the dialog where the file extensions and the associated registered applications are shown. I have both (VFP 6 and 7) installed on my machine and app files are registered to open without confirmation after download (that's the security hole). If I remember right, I installed VFP7 first and then VFP6 after upgrading my machine to Win XP. This is confirmed by the fact, that my VFP6 exe is registered for the execution of app files.
>>
>>My conclusion: If you have both versions installed, it depends on the order in which they were installed. First VFP 6, then 7 is ok. First VFP7 then VFP6, not ok.
>>
>>IMO you have two options: Check the setting on each machine you're not sure in which order both VFP versions were installed and only apply the patch to those, which are not ok - or simply patch each machine (probably the faster and easier way).
>>
>>Regards,
>>Armin
>>
>>>John,
>>>
>>>Let me get this straight. If we have both VFP6 & VFP7 installed on the same machines we DON'T have to install the patch?
>>>
>>>Jacci
>>>
>>>>
>>>>Well...most users of VFP6 end-user apps may not even know they have VFP6 runtimes and any rewording would be lost on them. Almost any VFP developer reading the bulletin will understand the implications and, hopefully, take the appropriate steps to ensure their customers or coworkers are taken care of.
>>>>
>>>>>What YOU say makes sense to me (i.e. if VFP7 "registers", for instance,the .app suffix, then it should work for VFP6 apps too.
>>>>>BUT the text says, as I read it, that if VFP6 is installed you will have this problem.
>>>>
>>>>It's company confidential what the exact issue was and how the patch fixes it, sorry.