Microsoft releases "critical" patches for XPe devices

Microsoft has released its monthly batch of security updates for Windows XP Embedded (XPe). Announced on Microsoft's Windows Embedded Standard blog, and available now on its Mobile and Embedded Communications Extranet (ECE), the "November 2008 XP Embedded Security Updates" include two fixes for existing devices, both rated "critical."

As in other months, the "critical" fixes are said to repair vulnerabilities that could potentially allow an attacker to take complete control of a computer. Via remote code execution, an attacker could install programs, view, change, or delete data, and create new accounts with full user rights, according to Microsoft.

The first of the two patches is described, using Microsoft's online knowledge base numbering, as KB 938464, resolving "privately reported" vulnerabilities in the Windows GDI (graphics device interface). The vulnerability may have allowed remote code execution if a user viewed a maliciously crafted image file. But, by modifying GDIPLUS.DLL and other Windows files, the patch prevents this.

The second of the two patches is described as KB 956390, which updates the Internet Explorer web browser to repair "five privately reported vulnerabilities and one publicly disclosed vulnerability." Once again, without the fix, remote code execution might be possible, says Microsoft.

These patches might sound familiar to loyal readers, since they were already released as part of Microsoft's October 2008 XP Embedded Security Updates. The October version of the patches, however, merely entered them into XPe's component database, a part of the Target Designer toolkit that's accessed when new operating system images are being built. In contrast, the newly available November version provides the patches for XPe's Desktop QFE Installer (DQI). That apparently means the fixes can now be applied to existing XPe devices.

Further information

More information on the distinction between component database and DQI patches for XPe may be found on Microsoft's website, here. To obtain the November 2008 XP Embedded Security Updates from Microsoft's ECE, go here (prior registration required). (windowsfordevices.com/news)