Security Update for Windows XP Embedded with SP1 (828750)

Brief Description

This update addresses the MS03-040: Cumulative Patch for Internet Explorer (828750) for Windows XP Embedded with SP1.

Overview

This is the Microsoft Windows XP Embedded with Service Pack 1 component update to address MS03-040: Cumulative Patch for Internet Explorer (828750).

This is a cumulative patch that includes the functionality of all previously released patches for Internet Explorer 5.01, 5.5 and 6.0. In addition, it eliminates the following newly discovered vulnerabilities:

A vulnerability that occurs because Internet Explorer does not properly determine an object type returned from a Web server in a popup window. It could be possible for an attacker who exploited this vulnerability to run arbitrary code on a user's system. If a user visited an attacker's Web site, it could be possible for the attacker to exploit this vulnerability without any other user action. An attacker could also craft an HTML–based e-mail that would attempt to exploit this vulnerability.
A vulnerability that occurs because Internet Explorer does not properly determine an object type returned from a Web server during XML data binding. It could be possible for an attacker who exploited this vulnerability to run arbitrary code on a user's system. If a user visited an attacker's Web site, it could be possible for the attacker to exploit this vulnerability without any other user action. An attacker could also craft an HTML–based e-mail that would attempt to exploit this vulnerability.

In addition, a change has been made to the method by which Internet Explorer handles Dynamic HTML (DHTML) Behaviors in the Internet Explorer Restricted Zone. It could be possible for an attacker exploiting a separate vulnerability (such as one of the two vulnerabilities discussed above) to cause Internet Explorer to run script code in the security context of the Internet Zone. In addition, an attacker could use Windows Media Player’s (WMP) ability to open URLs to construct an attack. An attacker could also craft an HTML-based e-mail that could attempt to exploit this behavior.

To exploit these flaws, the attacker would have to create a specially formed HTML–based e-mail and send it to the user. Alternatively an attacker would have to host a malicious Web site that contained a Web page designed to exploit these vulnerabilities.

YOU MAY NOT PROVIDE THIS UPDATE OR THE LOCATION (URL) OF THIS UPDATE TO ANY THIRD PARTIES.

Top of page

System Requirements

Supported Operating Systems: Windows 2000; Windows Server 2003; Windows XP; Windows XP Embedded

Requires the English Version of Windows XP Embedded with Service Pack 1. See the Windows XP Embedded System Requirements for details.

Top of page

Instructions

Important: This QFE requires Repository look-up may cause incorrect files to be copied (Q811279) be installed prior to this fix.

Download Q828750_XPE_SP2_x86_ENU.exe from this page.
Execute Q828750_XPE_SP2_x86_ENU.exe on a machine with the Windows XP Embedded with Service Pack 1 tools installed.

This package will automatically import updated and new .sld files into the current database specified in Component Database Manager. It will also copy new binaries into the Windows XP Embedded with Service Pack 1 QFE Repository folder.

Some of the .sld files may also require importing new repository objects. The new repositories will be created on the repository root holding the main Windows XP Embedded with Service Pack 1 repository. For information on moving repositories to other locations, see Moving a Repository in your Windows Embedded Studio documentation.

After importing this update into your database, add one of the following components to your configuration(s) if you wish to use this update: