Archived from groups: microsoft.public.win2000.security (
More info?)
"Mark Miller" <markhmiller__@juno.com> wrote in message
news:905401c48606$79e45770$a501280a@phx.gbl...
> For what it's worth, going into the recovery console and
> manually renaming pngfilt.dll to, e.g., pngfilt_.dll
> bypasses the problem at the cost of not being able to
> view .png files in IE. Since .png graphics are not nearly
> as popular as .gif and .jpg, until Microsoft bothers to
> advise US-CERT with something more than "unknown" (see
> link below), I'll assume the browser is vulnerable and
> just live without .png file viewing from within IE.
FWIW, Microsoft appears to have a policy that they avoid discussing
vulnerabilities in most cases until a patch is available. I would guess
they feel that acknowledging a vulnerability before there is a fix puts you
the user at additional risk. There is some merit to that. Also, this is a
relatively new vulnerability, and I can't blame Microsoft for not releasing
a patch yet.
Part of the blame lies on security investigators who announce a
vulnerability to the world without first contacting the vendor privately to
give them a reasonable amount of time to fix the problem without impact to
the customer. Security investigators that don't do that are endangering
Internet users like you and me. Microsoft can code a fix for things in
minutes or hours in some cases, but if they released that patch and it broke
something on your system, you and millions of other people would be pretty
upset. When there are serious vulnerabilities, work can happen round the
clock at Microsoft as needed. But most of the delay on making patches is
probably usually beta testing the patches, and if a problem is found, then a
new beta would probably have to be started.
Facebook
Twitter
Instagram