The first update, denoted as KB 953400, adds missing security template files to XPe's
Windows Security Configuration Client Engine component. This component provides the client engine for the
Windows Security Configuration Manager, along with supporting online help files.
The second update, KB 953784, is described as the Test Application Compatibility Macro component. It "adds all the other technology macro components to an image, to assist customers with troubleshooting missing dependencies in their runtime configurations," says Microsoft. The update will have a "significant" footprint impact," Microsoft adds.
According to Microsoft, the above two updates are optional, and should be applied after the
June 2008 security updates that were announced last month.
In a posting on its Windows Embedded Standard (WES) blog, the company listed the older security updates as follows:
- KB 950749 -- Vulnerability in Microsoft Jet database engine could allow remote code execution
- KB 951376 -- Vulnerability in Bluetooth stack could allow remote code execution
- KB 950759 -- Cumulative security update for Internet Explorer
- KB 951698 -- Vulnerabilities in DirectX could allow remote code execution
- KB 950760 -- Cumulative security update of ActiveX kill bits
- KB 950762 -- Vulnerabilities in pragmatic general multicast (PGM) could allow denial of service
Like a
vulnerability fixed by Microsoft in May, KB 950749 apparently involves the Jet database engine, used by XPe to provide data access to applications such as Microsoft Access and Visual Basic. Once again, the vulnerability is rated "critical," since it could allow an attacker to take complete control of a computer. The attack vector would be a Word document containing a specially crafted file using Microsoft's Access .MDB file format, according to the company.
KB 951376, also "critical," involves a vulnerability in XPe's Bluetooth stack. Again, it could allow remote code execution, which permits an attacker to install programs, view, change, or delete data, and create new accounts with full user rights. The fix modifies the way that the Bluetooth stack responds when bombarded with a large number of service description requests, says Microsoft.
A third "critical" vulnerability, denoted as KB 950759, involves the possibility of remote code execution if Internet Explorer is used to view a maliciously crafted web page. The fix modifies the way that the web browser validates data and handles calls to HTML objects, according to Microsoft.
A fourth "critical" vulnerability, KB 951698, involves potential remote code execution via DirectX, in cases where a user opens a specially crafted media file. The fix modifies the way that DirectX handles MJPEG (motion JPEG) and SAMI (synchronized accessible media interchange) files, Microsoft notes.
For details of KB 950760, rated "moderate," and KB 950762, see our earlier coverage,
here.
Further informationTo obtain the June 2008 optional updates, access Microsoft's Mobile & Embedded Communications Extranet (ECE),
here. To obtain the June 2008 security updates, access the ECE
here. (In both cases, a user name and password will be required).
Microsoft has provided no details on the June 2008 optional updates beyond the above, provided via its Windows Embedded Standard blog,
here. If the company follows its usual practice, however, further information should appear at the Knowledge Base URLs
http://support.microsoft.com/kb/953400 and
http://support.microsoft.com/kb/953784.
All updates mentioned are for XPe with SP2, Feature Pack 2007, and/or Update Rollup 1.0.
Related stories:
