I'm just saying people should trust security experts. There *are* people out
there more qualified to give security guidance than you or MS. SANS,
F-secure, and Steve Gibson are 3 such parties.

The patch may be unknown to or untested by you, but not to those security
experts.

--
Josh Einstein
Tablet Enhancements for Outlook 2.0 - Try it free for 14 days
www.tabletoutlook.com

"Chris H." <winxpnews@hotmail.com> wrote in message
news:eNZBS6IEGHA.140@TK2MSFTNGP12.phx.gbl...
> Please speak for yourself only, Josh. This is a serious subject, and you
> shouldn't be letting your personal opinions about people interfere with
> guiding users in the right direction. It is irresponsible for anyone
> download and install such an unknown, untested patch. Microsoft's
> security bulletin, in part, already issued on the subject:
> =====
> Microsoft Security Advisory (912840)
> Vulnerability in Graphics Rendering Engine Could Allow Remote Code
> Execution.
> Microsoft is investigating new public reports of a vulnerability in
> Windows. Microsoft will continue to investigate the public reports to help
> provide additional guidance for customers.
> Microsoft is aware of detailed exploit code that could allow an attacker
> to execute arbitrary code in the security context of the logged on user
> when visiting a Web site, which contains a specially crafted Windows
> Metafile (WMF) image. An attacker would have no way to force users to
> visit a malicious Web site. Instead, an attacker would have to persuade
> them to visit the Web site, typically by getting them to click a link that
> takes them to the attacker's Web site.
> Customers are encouraged to keep their antivirus software up to date. The
> Microsoft Windows AntiSpyware (Beta) can also help protect your system
> from spyware and other potentially unwanted software. We will continue to
> investigate these public reports.
> Upon completion of this investigation, Microsoft will take the appropriate
> action to help protect our customers. This will include providing a
> security update through our monthly release process or providing an
> out-of-cycle security update, depending on customer needs.
> Microsoft encourages users to exercise caution when they open e-mail and
> links in e-mail from untrusted sources. For more information about Safe
> Browsing, visit the Trustworthy Computing Web site.
> We continue to encourage customers to follow our Protect Your PC guidance
> of enabling a firewall, applying software updates and installing antivirus
> software. Customers can learn more about these steps at the Protect Your
> PC Web site.
> Customers who believe they may have been affected by this issue can
> contact Product Support Services. You can contact Product Support Services
> in the United States and Canada at no charge using the PC Safety line (1
> 866-PCSAFETY). Customers outside of the United States and Canada can
> locate the number for no-charge virus support by visiting the Microsoft
> Help and Support Web site.
> Mitigating Factors:
> · In a Web-based attack scenario, an attacker would have to host
> a Web site that contains a Web page that is used to exploit this
> vulnerability. An attacker would have no way to force users to visit a
> malicious Web site. Instead, an attacker would have to persuade them to
> visit the Web site, typically by getting them to click a link that takes
> them to the attacker's Web site.
> · An attacker who successfully exploited this vulnerability could
> gain the same user rights as the local user. Users whose accounts are
> configured to have fewer user rights on the system could be less impacted
> than users who operate with administrative user rights.
> · By default, Internet Explorer on Windows Server 2003, on
> Windows Server 2003 Service Pack 1, on Windows Server 2003 with Service
> Pack 1 for Itanium-based Systems, and on Windows Server 2003 x64 Edition
> runs in a restricted mode that is known as Enhanced Security Configuration
> This mode mitigates this vulnerability where the e-mail vector is
> concerned although clicking on a link would still put users at risk. In
> Windows Server 2003, Microsoft Outlook Express uses plain text for reading
> and sending messages by default. When replying to an e-mail message that
> is sent in another format, the response is formatted in plain text. See
> the FAQ section of this vulnerability for more information about Internet
> Explorer Enhanced Security Configuration.
> =====
> --
> Chris H.
> Microsoft Windows MVP/Tablet PC
> Tablet Creations - http://nicecreations.us/
> Associate Expert
> Expert Zone - www.microsoft.com/windowsxp/expertzone
>
> "Josh Einstein" <josheinstein@hotmail.com> wrote in message
> news:u8AIybIEGHA.3000@TK2MSFTNGP14.phx.gbl...
>> This is a typical response from Chris who only trusts MS's word as
>> gospel. But rather than linking directly to the EXE you should link to
>> the page where the user can download it. Direct EXE links are
>> irresponsible to click as well. Especially considering that they are so
>> easily spoofed.
>>
>> --
>> Josh Einstein
>> Tablet Enhancements for Outlook 2.0 - Try it free for 14 days
>> www.tabletoutlook.com
>>
>> "Jim" <reply@groups.please> wrote in message
>> news:kMwuf.37341$Lb1.8673@bignews3.bellsouth.net.. .
>>> Chris,
>>>
>>> You are acting in an extremely irresponsible manner. This is one of
>>> the largest exploits ever to hit the Windows platform (in number of
>>> machines affected), and you are telling people to do nothing.
>>>
>>> The only thing more irresponsible than your post is Microsoft's
>>> refusal to take immediate action for such an exploit.
>>>
>>> Jim
>>>
>>> "Chris H." <winxpnews@hotmail.com> wrote in message
>>> news:um047fHEGHA.140@TK2MSFTNGP12.phx.gbl...
>>>> Microsoft has not released a patch at this point. Please do not
>>>> download or install a patch from any other source.
>>>> --
>>>> Chris H.
>>>> Microsoft Windows MVP/Tablet PC
>>>> Tablet Creations - http://nicecreations.us/
>>>> Associate Expert
>>>> Expert Zone - www.microsoft.com/windowsxp/expertzone
>>>>
>>>>
>>>
>>>
>>
>>
>
>