Thursday, October 14, 2004

October Security Bulletins available for XPE

The October set of Windows XP Pro security bulletins is out for XPE, and has been posted to the OEM Secure Site for use by XPE customers.  What's posted are the updates to the runtime for use with the (inaccurately named) Desktop QFE Installer tool.  Look for the database updates toward the end of next week on the OEM Secure Site and the Download Center.  We do the desktop updates first for two reasons:

  1. Devices deployed in the field are much more susceptable to attack than devices that have not yet been built.
  2. There were six security updates this month that affect XPE.  When we componentized them, we had three database updates due to component overlap.  That means nine separate releases in two locations - quite frankly, that was too much for us to handle, so we prioritized the desktop releases per reason #1 above.


One thing to note is that we had a bit of a problem with the package installer - again.  Now, before you start hurling tomatos or other sharp pointy things at my head, this one is easy to work around, and we're working with the team that owns the installer to make sure this is the only month this happens (actually, I'd like to give them some credit - once we found the problem, they found the solution in a few hours, and we weren't delayed in releasing anything).

In short, you need to add a file to your runtime before you execute the update on the runtime.  Details on are the download pages for the desktop updates, and are repeated here for completeness.  Follow these steps to get any of these six updates to run on your device:

  1. Create the following folder on the device:
  2. Create a file in this folder called The contents and size of the file are not important. The following command line can be used to create this file:
    copy con

  3. Execute the update package

You can create a zero-length and copy it over as part of a DUA script or SMS script as well - you just need to have the file in the folder specified before running the update on the runtime.  And have the DQI installed, but that's another story...