The fixes are for XPe with SP2, Feature Pack 2007, and/or Update Rollup 1.0. As always, Microsoft warns that XPe fixes are cumulative, and should be installed in the order they are released. The two new July 2008 Windows XP Embedded (XPe) security updates announced today arrive hot on the heels of the
June 2008 "optional" updates belatedly released earlier this week.
The first of the new July updates, denoted as
KB 951376, addresses a vulnerability in XPe's Bluetooth stack that could allow remote code execution. Oddly, the Bluetooth vulnerability was supposedly already addressed in Microsoft's
June batch of XPe security updates, which referenced the same Knowledge Base number. Microsoft did not state what changes might have been made to the newly offered patch. In any case, KB 951376 is rated as "critical," since potential remote code execution could allow an attacker to install programs, view, change, or delete data, and create new accounts with full user rights. The fix reportedly modifies the way that the Bluetooth stack responds when bombarded with a large number of service description requests (SDRs), according to Microsoft.
The second update, denoted as
KB 951748, addresses a threat rated as "moderate," involving vulnerabilities in the Windows DNS (domain name system) that could allow a remote attacker to redirect network traffic, according to Microsoft. The fix addresses the vulnerabilities by using strongly random DNS transaction IDs, using random sockets for UDP queries, and updating the logic used to manage the DNS cache, the company says.
Further informationFor further information on any of the vulnerabilities, click on the Knowledge Base links cited above. To download the updates, access Microsoft's Mobile & Embedded Communications Extranet (ECE),
here (a user name and password are required).
Related stories:
