Desktop Updates for June available

Yesterday, the following Desktop Security Updates for Windows XP Embedded were published to the OEM Secure Site at https://microsoft.embeddedoem.com:

• Windows XP Embedded with Service Pack 2
• MS05-019: Vulnerabilities in TCP/IP Could Allow Denial of Service (893066)
• MS05-025: Cumulative Security Update for Internet Explorer (883939)
• MS05-026: Vulnerabilities in HTML Help Could Allow Remote Code Execution (896538)
• MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422)
• Windows XP Embedded with Service Pack 1
• MS05-019: Vulnerabilities in TCP/IP Could Allow Denial of Service (893066)
• MS05-025: Cumulative Security Update for Internet Explorer (883939)
• MS05-026: Vulnerabilities in HTML Help Could Allow Remote Code Execution (896538)
• MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422)
• MS05-028: Vulnerability in Web Client Service May Allow Remote Code Execution and Elevation of Privilege (896426)
• MS05-030: Vulnerability in Outlook Express Could Allow Remote Code Execution (897715)

These updates can be installed on Windows XP Embedded runtimes that already have the Desktop QFE Installer tool installed. 

June Security Updates Coming

I sent off the requests for the recent round of security updates on Tuesday – they’re working their way through the release process and should be available soon.  I’ll update the blog once they’re posted to the OEM Secure Site.

For the record, here is the list of updates that apply to XPE that we are releasing – remember, we only pick up Critical and Important fixes by default.

	XPE SP1	XPE SP2
MS05-004, 887998 (reissue)	Y	Y
MS05-019, 893066 (reissue)	Y	Y
MS05-025, 883939	Y	Y
MS05-026, 896538	Y	Y
MS05-027, 896422	Y	Y
MS05-028, 896426	Y	N
MS05-030, 897715	Y	N

 One thing to note is that the MS05–004 reissue desktop update will be late getting to the site – I’m having problems identifying the correct updates for SP1 and SP2 (there are about 12 different packages to choose from).  Once I get them ID’d, I’ll get them out – expect them next week.

As for the component updates, there’s one final issue that needs to be investigated, but once that’s done, they should be ready for codesigning and release as well.  I’ll be expediting them once they’re OK’d by test.

Microsoft's Security Response Center: How Little Patches Are Made

Great news from Tech-Ed – the MSRC (Microsoft Security Response Center) team made a presentation about how security vulnerabilities are patched on Microsoft platforms and applications.  This is great background material and shows how much work goes into the updated binaries themselves.  All this work happens well before XPE ever gets to work the Embedded voodoo to bring you the componentized versions – good info.

Oh, and one extra point – there’s a sentence in this article that reads:

On every product team within Microsoft, a staff member is on call to coordinate with the MSRC and join the investigation.

When I was on the Embedded team, that person for XPE was me.  I don’t know who the person is now.

Microsoft's Security Response Center: How Little Patches Are Made

Microsoft Security Bulletin Advance Notification

Not sure if this is common knowledge, but Microsoft publishes the Microsoft Security Bulletin Advance Notification the week before security bulletins are supposed to come out.  While it identifies neither specific issues nor bulletins, it does give you a count of issues for Windows.  As a rule of thumb, any Critical or Important bulletin applicable to Windows is packaged to XPE, so the Windows count will be the maximum number of issues we push out in our roll ups.

Also, at this point, we are only handle Critical and Imporant security bulletins by default, so the non-security High Priority updates at the bottom of the page don’t get packaged automagically.  If you find you need one of these (because you saw it come down Windows Update or saw in on MSDN or TechNet), contact PSS to request it’s inclusion for XPE.

 

The Code Room: Building Mobile Apps and Bluetooth Enabled Kiosks

Not sure if I plugged this before, but the latest episode of the Code Room focussed on embedded tech, and stars XPE superstar and eMVP Sean Liming – give it a look.  Not much on XPE, but it’s good to kill your lunch hour anyway.

MSDN TV: The Code Room: Building Mobile Apps and Bluetooth Enabled Kiosks

Office 2003 XML Reference Schemas

OK, it’s not strictly Embedded, but it may open the way for a new class of Embedded devices.  Office is opening their formats to be XML based, which in and of itself is very cool (side note: this will make publishing extra info about Embedded security updates much easier).  But what if someone were to come up with a way, outside of Office, to consume these new formats and put it on an Embedded device.  I’m thinking of a service-based business with a document kiosk available to walk-in customers, with documents stored on the device.  XML attributes could provide user-viewable info before they print the doc, and a network connection allows it to be updated live.

Or maybe an XPE-based projector with slide decks stored right on the projector.  Give it to your sales force on tours to present standard slide decks to prospective customers, or load it with lessons for a substitute teacher to present to a class in your absence.

Maybe a SAN/NAS or printer device with some XML processing that can report on the documents that pass through it with some intelligence on the the documents.

There are possibilities in the embedded space foe this, all made possible by three things – the richness of the Windows API in XPE, XML processing power, and new, open Office document formats.

Office 2003 XML Reference Schemas