Folks
We are bombarded with critical warnings about the GDI+ buffer overrun exploit but the response from Installshield and MS is somewhat underwhelming if one wants the logical solution for distribs, i.e. a new MSM build.
The problem is discussed at
http://www.installsite.org/pages/en/topic/gdiplus.htm It seems to be the case that MS has not come up with a new MSM yet (wouldn't it take about 10 minutes?)
On one of Installshield community forums, an Installshield answer appears to be that this company does not plan to provide a new MSM unless you upgrade to the latest version. I hope this is not their final opinion, as it comes after Installshield Express 5 purchasers were amazed to find that their forum moderator had vanished into thin air about six months after the product release.
I have downloaded a new build of GDIplus.dll (5.1.3102.1360) from
http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx so what's the go now? Just throw it into C:\Program Files\Common Files\Microsoft Shared\VFP\ without using an MSM?
Does this DLL need registration?
Whether or not I feel the exploit poses a danger to my application, I have to satisfy customers that it does not contain the vulnerable GDI+ version.
Has this been discussed yet?
John Burton