The operating system fixes reportedly repair vulnerabilities that could potentially allow an attacker to take complete control of a computer. Via remote code execution, an attacker could install programs, view, change, or delete data, and create new accounts with full user rights, according to Microsoft.
The first patch is billed as
KB 938464, "Vulnerabilities in GDI+ could allow remote code execution." Responding to "several privately reported vulnerabilities," Microsoft has modified XPe's
GDI+ (Graphics Device Interface plus) dynamic link library, which provides two-dimensional vector graphics, imaging, and typography. Without the supplied fixes to GDIPLUS.DLL, maliciously created images could create memory buffer overflows that enable remote code execution, the company warns.
The second patch is billed as
KB 954154, "Vulnerability in Windows Media could allow remote code execution." Again responding to "a privately reported vulnerability" rather than an actual attack, Microsoft says it has modified the WMPEFFECTS.DLL supplied with XPe as part of Windows Media Player 11. Without the fix, a specially crafted audio file could allow remote code execution when streamed from a Windows Media server using Windows Media Player 11, the company says.
Further informationWindows XP Embedded (XPe) is inherently more resistant to attacks than its standard desktop cousin, thanks to features such as the
Enhanced Write Filter, which allows for a device to be returned to its default condition whenever it is restarted. Nonetheless, Microsoft rates the above vulnerabilities as "critical," and recommends that customers apply the updates immediately.
For more information on either vulnerability, click on the links provided above, which lead to corresponding entries in Microsoft's online knowledge base. To download Microsoft's September 2008 security patches for XPe, access the ECE,
here (a user ID and password will be required).
Related stories:
