Folks

We are bombarded with critical warnings about the GDI+ buffer overrun exploit but the response from Installshield and MS is somewhat underwhelming if one wants the logical solution for distribs, i.e. a new MSM build.

The problem is discussed at http://www.installsite.org/pages/en/topic/gdiplus.htm
It seems to be the case that MS has not come up with a new MSM yet (wouldn't it take about 10 minutes?)

On one of Installshield community forums, an Installshield answer appears to be that this company does not plan to provide a new MSM unless you upgrade to the latest version. I hope this is not their final opinion, as it comes after Installshield Express 5 purchasers were amazed to find that their forum moderator had vanished into thin air about six months after the product release.

I have downloaded a new build of GDIplus.dll (5.1.3102.1360) from http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx so what's the go now? Just throw it into C:\Program Files\Common Files\Microsoft Shared\VFP\ without using an MSM?

Does this DLL need registration?

Whether or not I feel the exploit poses a danger to my application, I have to satisfy customers that it does not contain the vulnerable GDI+ version.

Has this been discussed yet?
John Burton