In article <#EfRs$fEGHA.2708@TK2MSFTNGP11.phx.gbl>, Tom Porterfield
<tpporter@mvps.org> wrote:

> > I agree about their policy on how they release patches, patches should be
> > released as soon as they effectively fix the problem. They should not be
> > released on a schedule. There is no excuse for intenti
> > onally letting an OS be venerable to attacks that could have been avoided.
>
> This is a confusing statement since Microsoft's policy *is* to release
> patches on a schedule, after they are thoroughly tested. They create
> the patch, they make sure it is thoroughly tested, and then they release
> on the next scheduled monthly patch release Tuesday.

And you don't see the difference?

Create patch, test patch, release patch.
Create patch, test patch, release patch at the next release date, days
or weeks later.

We're talking about system vulnerabilities here -- immediate
availability is critical. If you had a venomous bite and had antivenin,
you wouldn't take it at the last minute it could be effective -- you'd
take it as soon as you got it.

In article <eMnr3ffEGHA.208@tk2msftngp13.phx.gbl>, Michael Stevens
<mstevens@bogusmvps.org> wrote:

> Well you snipped the part of my post that explained what I was implying.

Did I? Sorry; missed it entirely.

> was replying to the OP and giving feedback on my experience with the Ilfak
> Guilfanov patch wmffix patch. I wasn't laying blame on Microsoft, I was just
> giving my take on the situation. I do not think MS is the god of computing
> and understand when they say something is not supported you should realize
> it is only MS that does not support it and there are many reasons unrelated
> to technical aspects that influences the MS advisory.

A reasonable point -- the most obvious reason, even if it is valid,
isn't always the only reason or the most significant.

> When an open source patch like this one, that has been securitized by a much
> larger base of computer experts than the patch MS releases signs off on it,
> I feel just as safe and secure as one I would get from a daily update from
> Avaste, Trend, AVG, Norton, etc. Why should I place a higher value of trust
> on MS for a patch that only they sign off on opposed to one that a much
> larger testing base signed off on as safe and effective.

Another point -- yet since the vulnerability is one created by
Microsoft design, they have the opportunity to fix the original error,
rather than just patch over the hole. I suspect that is what people
would expect, anyway.

> I agree about their policy on how they release patches, patches should be
> released as soon as they effectively fix the problem. They should not be
> released on a schedule. There is no excuse for intenti
> onally letting an OS be venerable to attacks that could have been avoided.

No, and yet I was hoping more users would have raised a (choose term
for big ole' higgledy-piggledy mess o' noise) by now, forcing Microsoft
to do something immediately.
It just stuns me that Microsoft so blatantly considers corporate sys
admins the most important part of the industry.

In article <#EfRs$fEGHA.2708@TK2MSFTNGP11.phx.gbl>, Tom Porterfield
<tpporter@mvps.org> wrote:

> > I agree about their policy on how they release patches, patches should be
> > released as soon as they effectively fix the problem. They should not be
> > released on a schedule. There is no excuse for intenti
> > onally letting an OS be venerable to attacks that could have been avoided.
>
> This is a confusing statement since Microsoft's policy *is* to release
> patches on a schedule, after they are thoroughly tested. They create
> the patch, they make sure it is thoroughly tested, and then they release
> on the next scheduled monthly patch release Tuesday.

And you don't see the difference?

Create patch, test patch, release patch.
Create patch, test patch, release patch at the next release date, days
or weeks later.

We're talking about system vulnerabilities here -- immediate
availability is critical. If you had a venomous bite and had antivenin,
you wouldn't take it at the last minute it could be effective -- you'd
take it as soon as you got it.

"Michael Stevens" <xpnews@bogusmichaelstevenstech.com> wrote in
news:OS4AHggEGHA.2616@TK2MSFTNGP10.phx.gbl:

> Tom Porterfield wrote:
>> Michael Stevens wrote:
>>> That should have read as........
>>> I DISAGREE about their policy on how they release patches, patches
>>> should be released as soon as they effectively fix the problem.
>>
>> Ooops. OK, then ignore my other response.
>
> Thanks Tom, seems like you and I are in the minority around this
> group. I can't understand why though. I tested it on one of my
> computers and it was flawless, even has a uninstall that works.
>

Because in larger installations, patches need to be tested. It's far easier
to intall a series of patches once a month and test and deploy them, than
to have to go through that cycle several times a month. It also allows me
to have my users leave their computers on overnight only once a month.

The actual problem is not shimgvw.dll. Rather there is a flaw in the
GDI32.DLL that is enabling this exploit.

GDI32.DLL handles virtually ALL graphics calls in Windows, so disabling it
would not be advised.

Jim


"Shane" <shanebeatson@gmail.com> wrote in message
news:eyPyhdeEGHA.3200@tk2msftngp13.phx.gbl...
> "no_name" <no_name@no.where.invalid> wrote in message
> news:KmYuf.20$Kp.11@southeast.rr.com...
>> jt3 wrote:
>>
>>> You might see if IrfanView uses shimgvw.dll to do its thumbnails, and if
>>> not, deregister, and use IV to look at those folders with images.
>>
>> Apparently it does not, since I had already deregistered the DLL &
>> IrfanView can still display thumbnails.
>>
>> Among IrfanView's other benefits are:
>>
>> 1. FREEWARE, and a damn good program.
>> 2. Has plugin for my camera's RAW format files, which windows does not.
>> 3. Small & fast.
>
> I still prefer Explorer's Thumbnail display, at least for .jpg files.
>
> To refine the thought that Thumbnail View being okay for folders such as
> My Pictures, but not for eg, \System32\ , I re-register shimgvw.dll for
> working in folders containing pictures I've taken or otherwise trust, then
> unregister it again when I've finished.
>
> Shane
>
> --
>
>
> The Sugitive
>
> Chapter One: http://tinyurl.com/bcevp
>
> Chapter Two: http://tinyurl.com/ag92o
>
> Chapter Three: Coming to an URL near you soon!
>
> ------------------------------------
>
>

Mitch wrote:
>> This is a confusing statement since Microsoft's policy *is* to release
>> patches on a schedule, after they are thoroughly tested. They create
>> the patch, they make sure it is thoroughly tested, and then they release
>> on the next scheduled monthly patch release Tuesday.
>
> And you don't see the difference?

Of course I see the difference. Where did I say I didn't see the
difference? I also never said I agree or disagree with the MS policy.
I simply stated their policy.
--
Tom Porterfield
MS-MVP Windows
http://support.teloep.org

Please post all follow-ups to the newsgroup only.

What I understand from reading about it is that it isn't a flaw, precisely,
but is due to the way the .WMF format is designed--to allow callbacks, and
that's the reason for the 'door' into GDI32.DLL that causes the problem. In
other words, it was designed to do that, and as such allows unauthorized
access to your machine. The unofficial patch just blocks that route.

"Jim" <reply@groups.please> wrote in message
news:0ecvf.4496$0y2.3012@bignews2.bellsouth.net...
> The actual problem is not shimgvw.dll. Rather there is a flaw in the
> GDI32.DLL that is enabling this exploit.
>
> GDI32.DLL handles virtually ALL graphics calls in Windows, so disabling it
> would not be advised.
>
> Jim
>
>
> "Shane" <shanebeatson@gmail.com> wrote in message
> news:eyPyhdeEGHA.3200@tk2msftngp13.phx.gbl...
> > "no_name" <no_name@no.where.invalid> wrote in message
> > news:KmYuf.20$Kp.11@southeast.rr.com...
> >> jt3 wrote:
> >>
> >>> You might see if IrfanView uses shimgvw.dll to do its thumbnails, and
if
> >>> not, deregister, and use IV to look at those folders with images.
> >>
> >> Apparently it does not, since I had already deregistered the DLL &
> >> IrfanView can still display thumbnails.
> >>
> >> Among IrfanView's other benefits are:
> >>
> >> 1. FREEWARE, and a damn good program.
> >> 2. Has plugin for my camera's RAW format files, which windows does not.
> >> 3. Small & fast.
> >
> > I still prefer Explorer's Thumbnail display, at least for .jpg files.
> >
> > To refine the thought that Thumbnail View being okay for folders such as
> > My Pictures, but not for eg, \System32\ , I re-register shimgvw.dll for
> > working in folders containing pictures I've taken or otherwise trust,
then
> > unregister it again when I've finished.
> >
> > Shane
> >
> > --
> >
> >
> > The Sugitive
> >
> > Chapter One: http://tinyurl.com/bcevp
> >
> > Chapter Two: http://tinyurl.com/ag92o
> >
> > Chapter Three: Coming to an URL near you soon!
> >
> > ------------------------------------
> >
> >
>
>