It has been reported that there are issues with upgrading to the August 2010 Security Updates on databases that have IE7 and WMP11 installed, and also have all other security updates installed.

Symptoms:

• After installing the August 2010 Security Update open a .slx file that has any of the following components in it-
  • “Primitive: vbscript.dll”
  • “Windows Media Format Runtime 11”
  • “Windows Media Player 11”
  • “Windows Media Player 6.4”
• Upgrade the configuration
• Check dependencies
• RESULT- you still get prompted to upgrade the components listed above.

This is caused by an issue with versioning the in components in the list. The August Security Update inadvertently overwrites the components with an incorrect version number which results in Target Designer being “confused” as to what version to apply to the configuration when upgrading.

Workaround:

• After installing the August 2010 Security Update, delete ALL instances of the components in the list above. To do this:
  • Open Database in Exclusive mode (no other Windows Embedded tools open or user connected to the database)
  • In Database Manager go to the Components tab, select each component and choose the “Delete” button
• Re-install the June 2010 Security Updates

NOTE that this issue only occurs with the updates located in the following folder of the August 2010 Security Updates .img file -
WindowsEmbeddedStandard09_IE7WMP11 or WindowsXPEmbedded_SP3IE7WMP11.

The correct version of the components will now be in the database and the database will be up to date with the latest security updates for all components. We will implement the correct version of the components in the list in our September security update .img file.

 - Lynda

If you are using WEDU (Window Embedded Developer Update), you will not see any updates on Windows Embedded Standard 7 currently. That is because all Standard 7 updates are temporarily being turned off by Microsoft Update.

[Updated: 9/21/2010, 9:45PM PDT]

However the updates are still available through our other regular channels, e.g. ECE and MOO. The updates being turned off are for developers only. They are the so called "Developer Updates". Updates to devices that are built on Windows Embedded Standard 7, aka "Device Updates", are not affected as Windows Updates are available as usual.

This temporary outage of the developer updates is due to an issue Microsoft Update found earlier this week. Microsoft Update team has been actively investigating and hasn’t confirmed if the updates from us caused the problem. Once we receive more info, we’ll let you know. We are sorry for the inconvenience.

If you have any feedback (such as the impact to your business or your customer’s business), please feel free to share with us here or email us. Thank you.

Weijuan

Microsoft .NET Framework 3.5 SP1 for Windows® XP Embedded Service Pack 3 is now available on the ECE. This update should not be used with any other operating system.

On March 25, 2010 Microsoft announced a revised policy around support for .Net framework 3.5 SP1. With that change the support for .Net Framework 3.0 and 3.5 ends on April 12, 2011 - customers are strongly recommended to migrate to .Net Framework 3.5 SP1 before that date.

To maintain support for embedded customers after the end-of-life for existing components, the Windows Embedded support policy has been changed to allow .Net Framework 3.5 SP1 support for Windows XP Embedded SP3 and Windows Embedded for Point of Service 1.1 SP3.

Additional Information:

The .NET Framework is Microsoft's comprehensive and consistent programming model for building applications that have visually stunning user experiences, seamless and secure communication, and the ability to model a range of business processes.

.NET Framework 3.5 Service Pack 1 is a full cumulative update that contains many new features building incrementally upon .NET Framework 2.0, 3.0, 3.5, and includes cumulative servicing updates to the .NET Framework 2.0 and .NET Framework 3.0 subcomponents.
.NET Framework 3.5 Service Pack 1 for Windows Embedded Standard 2009 is a setup component that includes the .NET Framework 3.5 Service Pack 1 installer and its required dependencies.

- Lynda

The September 2010 Security Updates are now available on the ECE site for Windows® Embedded Standard 2009 and/or Microsoft® Windows® XP Embedded with Service Pack 2, Feature Pack 2007, Update Rollup 1.0 and Service Pack 3.

This security update can be applied directly to runtime images.

The September Security Updates include:

• KB981322 Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution
• KB982802 Vulnerability in Remote Procedure Call Could Allow Remote Code Execution
• KB2121546 Vulnerability in Windows Client/Server Runtime Subsystem Could Allow Elevation of Privilege
• KB2259922 Vulnerability in WordPad Text Converters Could Allow Remote Code Execution
• KB2290570 Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution
• KB2347290  Vulnerability in Print Spooler Service Could Allow Remote Code Execution 
• KB975558 Vulnerability in MPEG-4 Codec Could Allow Remote Code Execution
• KB2124261 Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution

This update also includes a re-release of the componentized August Security Updates for the XP Embedded SP3 with IE7WMP11 and Windows Embedded Standard 2009 with IE7WMP11, to fix an issue with upgrading .slx files when the original August Security Updates were included in the database.

The file name is appended with "-v2" to indicate the file is a re-release of the original updates. The revised updates, once applied to the XP Embedded SP3 IE7WMP11 or Windows Embedded Standard 2009 database will override the original August Security Updates shipped in August.

If you have questions on accessing the ECE, please email MS Mobile & Embedded Communications Feedback & Support, ECE@microsoft.com.

Thanks,

- Lynda

Technorati Tags: XPe,Standard 2009

Sami, the fearless Test engineer on the Windows Embedded Standard 7 team who authored this blog article about using Import Package has also created a screen cast on the same topic. The video focuses on using Import Package in ICE and also through commands in a command prompt.

Check it out here! 

- Lynda

View Video
Format: ???
Duration: --:--

Since we launched the Windows Embedded Standard 7 Compatible Applications website a couple of months ago, we have received very positive feedback from the community and customers. Thank you for the support! Meanwhile, we have been diligently evaluating customer requests, embedded technology trends, and business needs to prioritize what applications we should be looking into next and delivering the templates for those applications.

I’m happy to announce that today our first 3rd-party template is being hosted on a dedicated website by the 3rd-party, and is now available for download!

Foxit Software has been working closely with us over the last a couple months to learn about Windows Embedded, dependency analysis, and template creation.  Because of their efforts and ours, you can now download a template for Foxit Reader, a lightweight PDF reader.  This template can be placed in your distribution share, and merged with answer files in ICE, and it will bring in all the prerequisite packages to ensure that Foxit Reader works on your target device. The link to their download site is available on our Compatible Applications website.

In their own words, Foxit talks about their experience:  “We enjoyed working with the Microsoft team on this project and we look forward to working with Microsoft on other projects to strengthen our PDF software offering.”

If you wish for your company to take part in this program, create a template for your application and host the template download site, please contact us by emailing wesatt@microsoft.com. We look forward to hearing more ideas on how to enrich the embedded community and the whole ecosystem.

Weijuan

The October 2010 Security Updates are now available on the ECE site for Windows® Embedded Standard 2009 and/or Microsoft® Windows® XP Embedded with Service Pack 2, Feature Pack 2007, Update Rollup 1.0 and Service Pack 3.

This security update can be applied to the database.

The October Security Updates include:

• KB 979687 Vulnerability in COM validation in Windows Shell and Wordpad could allow remote code execution
• KB 981957 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege
• KB 982132 Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution
• KB 2279986 Vulnerability in the OpenType Font Format (OTF) Driver Could Allow Elevation of Privilege
• KB 2296011 Vulnerability in Windows Common Control Library Could Allow Remote Code Execution
• KB 2360131 Cumulative Security Update for Internet Explorer
• KB 2360937 Vulnerability in Windows Local Procedure Call Could Cause Elevation of Privilege
• KB 2378111 Vulnerability in Windows Media Player Could Allow Remote Code Execution
• KB 2387149 Vulnerability in Microsoft Foundation Classes Could Allow Remote Code Execution
• KB 2158563 September 2010 cumulative time zone update for Windows operating systems
• KB 2418042 Vulnerability in ASP.NET Could Allow Information Disclosure. This KB solution is comprised of the following KB update packages: KB2416472, KB2416473 and KB2418240.

If you have questions on accessing the ECE, please email MS Mobile & Embedded Communications Feedback & Support, ECE@microsoft.com.

Thanks,

- Lynda

Technorati Tags: XPe,Standard 2009

Application templates for both Microsoft .NET Framework 4 and .NET Framework 4 Client Profile, for use with Windows Embedded Standard 7, are now available on the Windows Embedded Standard 7 Compatible Applications website.

You use templates with ICE. You can download a template from the Web site and use the XML Merge functionality in ICE to combine the application template with your existing answer file. This creates a new answer file that includes everything in your original answer file, plus any additional component and feature package information that is required to support that application. You can also use the template without merging it with another template, by resolving all its dependencies, and turning it into an answer file. For more info see the video in this blog post.

The .NET Framework is Microsoft's comprehensive and consistent programming model for building applications that have visually stunning user experiences, seamless and secure communication, and the ability to model a range of business processes. The .NET Framework 4 works side by side with older Framework versions.

The Microsoft .NET Framework 4 Client Profile provides a subset of features from the .NET Framework 4. The Client Profile is designed to run client applications and to enable the fastest possible deployment for Windows Presentation Foundation (WPF) and Windows Forms technology. Application developers who require features that are not included in the Client Profile should target the full .NET Framework 4 instead of the Client Profile.

You can get the .NET Framework 4 redistributable bits to install on the runtime image from the ECE site.

Note that the bits for Silverlight 3 are also now available on the ECE site.

- Lynda

Are you a good developer who has a passion on quality and interested in working for the Windows Embedded Team? We have positions available for Developers in Test for the following teams:

- Componentization

- Embedded Enabling Features

- Connected TV

- POSReady

If you think have any interest, let's talk. E-mail us at ewjobs@microsoft.com.

What's this about?

We’re hiring Software Development Engineers for the Test team (aka SDETs) and we’re looking for candidates with these traits:

• Great coding skills
• You get things done
• Passion for quality in your own code and in other's code
• You have an unquenchable thirst for knowledge in technology and science. You may be just as interested in Black Hole theory and nano-tech as you are in the latest release of .Net Framework.

Really, that's pretty generic isn't it? I'm not asking for specifics in C# or C++ or Win32 or Windows Internals or a Masters degree, etc...

That's because these are things that can be learned...and we're patient. We’re patient because we’re building the team for the long haul. Do not assume there are constraints to your success.

Examples -

Re-read that first bullet up above. So if you've been a pure Java dev for the last 5 years and think you wouldn't make a good candidate because you hear everyone and their grandmother at Microsoft is coding in C, C++, C# then you might be wrong.

What matters is that your code is clean, reusable, high quality and that you're already comfortable with OOP. Hey, guess what? You met the bar for the first bullet! :-)

Again, it's the core developer competencies, passion for quality, getting stuff done and a thirst to know more that we mostly look for first in a candidate. Oh, you need to show that you have the ability to adapt and grow new skills of course since we're not just hiring to fill positions now but hiring for the future of the team.

Again, do not assume you have constraints to be successful and happy as an SDET on our team.

If you're familiar with the Embedded Windows platform we've delivered before then our team owns everything in that platform. If you're not aware of what comprises our product and its scope, here's our product team's portal, try this video introduction to the product:

Showcasing Windows Embedded Standard 7

Software Developer in Test, what is this?

Sure you can train almost any smart person to code, sometimes to even code well. Voila, you're now a programmer/coder/developer!

But what if the software you're shipping is delivered to millions of devices or PCs. Or what if the code was going to reside on a banking system or medical device? Being able to code or even code well just isn't good enough anymore when you think of it in those terms. This has been proven over the years especially seen in the terrible Customer Partner Experiences in Microsoft software in the 90's, so today quality software is a requirement of product teams.

Around 2000 or 2001 there was a shift within Microsoft with regards to how we validate the quality of the software that is shipping, in that we now staff the Test teams mostly with Developers. These SDETs work hand in hand with their feature peers in the Developer and Program Management teams to ensure that quality is being built into the product from day one and that every step of the way throughout the product cycle quality is considered and validated.

So now you're probably asking...

'As an SDET, how do you validate that quality'?

Good question.

Part of the answer is through delivering our own software internally to exercise, monitor and attack the developer’s code as well as mimic as much of the customer scenarios as possible. What the SDETs can't test programmatically, like some of the end to end user scenarios, we'll have manual testers validate (most of this can be sourced out to our own lab or a remote lab).

So you can essentially look at the Microsoft Test teams as peer developers to the dev team, reviewing their design and code then making recommended changes to ensure it is meeting the customer's needs and is testable, then delivering on that test automation needed to exercise the dev's code.

Unlike the development team which a lot of times have boundaries placed around them with regards to how and what they deliver as their feature, you as an SDET have few boundaries! In fact you generally have quite a lot of freedom to design your test software.

To deliver on this encompasses all three of those bullets at the top:

• You need a passion for quality not just in your own code but ensuring that your peer dev is doing the right thing
• You need great coding skills so that you can recognize faults in other's code but can also deliver your own high quality / re-usable test code. You are representing the customer when you're in the code review meeting with your peers, it's your responsibility to ensure the dev is doing the right thing for the customer and their scenarios. If you're a sloppy coder you'll likely miss things that are not discovered until a customer has assembled the 'perfect storm' of software and hardware configuration that exposes a heinous bug. Having developers on the Test team deep dive into the feature code is a 'must have' for our team to be successful.
• If you're on the Test team and you're not passionate about software or afraid to ask questions about how and why methods are implemented in the code to ensure the right thing was done, then this is the wrong discipline for you.

One of the resources listed below is 'The Braidy Tester', here's a great quote of his from the article “Hallmarks of a Great SDET”:

A great SDET constantly invents new tools that help them find bugs.  A great SDET sees a tool in every task they contemplate.  A great SDET's driving force is writing code that breaks other code.

"Software Development Engineer in Test" doesn't tell the entire story.  A great SDET is more than a great tester who happens to also be a great developer (or vice versa).  A great SDET combines their deep knowledge of how applications are written with their deep knowledge of where bugs lurk and how to find them to create tools that help testers find more bugs and help developer write fewer bugs.

If you're interested in more details on the discipline in general here are some great resources:

• The Braidy Tester
• MS JobsBlog on the SDET discipline
• Steve Rowe's 'Three reasons to consider being a Test Developer'

- Embedded Windows Test Leads

The Microsoft All-In-One Code Framework is a free service offered by the Microsoft Community team in order to assist developers by providing sample code to tackle common problems for all Microsoft Development technologies.   We think this would be a useful service to leverage for our Embedded Developer community as well.   Here are some more details about the project from the owners of the project:

Introduction

The Microsoft All-In-One Code Framework is a free, centralized code sample library provided by the Microsoft Community team. Our goal is to provide typical code samples for all Microsoft development technologies (including Silverlight).

What do we do?

My team listens to developers’ pains in MSDN/Silverlight/ASP.NET forums, social media and various developer communities. We write code samples based on developers’ frequently asked programming tasks, and allow developers to download them with a short code sample publishing cycle. Additionally, our team offers an innovated free code sample request service. The reason why this service was created was to provide personalized and connected services to the developer community. This is a new way to listen to our customer needs and reduces the amount of effort needed for developers to complete their work.

- Punit

*Updated 11/29/10 - removed sentence about images created with Terminal Server that was incorrect*

A customer reported that Windows Movie Maker is not correctly displaying a storyboard in the player. To reproduce this behavior, drag and drop pictures to create a storyboard. There is no Preview, and when Saving there is an error.

This is because the incorrect registry data from an earlier version of Windows Movie Maker is being written in XP Embedded and Standard 2009 runtime images. The workaround to correct this is to copy moviemk.inf from the XPe SP2 repository {67C85615-B0C5-42EA-8B8A-E8AB47DB2B1D} to the runtime , then right click the inf to 'install' the contents.

- Lynda

Technorati Tags: XPe,Standard 2009

The November 2010 Optional Updates are now available on the ECE site for Windows® Embedded Standard 2009 and/or Microsoft® Windows® XP Embedded with Service Pack 2, Feature Pack 2007, Update Rollup 1.0 and Service Pack 3.

The November Optional Updates include:

• KB 2393904- this fixes three issues:

  • Using File Based Write Filter, a protected volume may show duplicate entries for files and/or directories under certain situations.

  • Using File Based Write Filter, data may not fully flush immediately after performing a ‘commit’ command (i.e. after FbwfCommitFile API call returns).

  • Standardized the return codes from the FBWFMGR utility. The application should now return 0 on successful execution and 1 on a failure.

If you have questions on accessing the ECE, please email MS Mobile & Embedded Communications Feedback & Support, ECE@microsoft.com.

Thanks,

- Lynda

Technorati Tags: XPe,Standard 2009

Silverlight 4 is now available on the ECE site for both Windows Embedded Standard 2009 and Windows Embedded Standard 7.

Silverlight is a powerful development platform for creating engaging, interactive user experiences for Web, desktop, and mobile applications when online or offline. Silverlight is a free plug-in, powered by the .NET framework and compatible with multiple browsers, devices and operating systems, bringing a new level of interactivity wherever the Web works.

For Standard 7 you can grab the feature from this ECE link- Microsoft Silverlight 4 for Windows Embedded Standard 7. This feature is for use with the Windows Embedded Standard 7 compatible application templates at http://www.microsoft.com/windowsembedded/en-us/products/westandard/applications.mspx. 

For Standard 2009, Silverlight 4 is the only out-of-band feature in the November 2010 Feature Update for Windows Embedded Standard 2009.

- Lynda

We’re pleased to announce that a Technical Preview of Windows Embedded Standard 7 Service Pack 1 is now available for download at https://connect.microsoft.com/windowsembedded/ . This download delivers all the updates and notable changes in Windows 7 SP1 to Windows Embedded Standard 7, including RemoteFX, with an expected RTM/General Availability in Q1, CY11.

A Service Pack already?

You may be wondering why we are releasing a service pack so soon after the release of Windows Embedded Standard 7. The answer is that, because Windows Embedded Standard 7 is based on Windows 7, we wanted to make the service pack functionality of Windows 7 SP1 available to our customers as quickly as possible.

So What’s in SP1?

Service Pack 1 for Windows Embedded Standard 7, has two components:

Windows 7 SP1 updates
All the updates in Windows 7 SP1 are included in Windows Embedded Standard 7 SP1. A description of the updates can be found at http://technet.microsoft.com/en-us/library/ff817622(WS.10).aspx
This includes RemoteFX – RemoteFX is a set of RDP technologies,  most prominently graphics virtualization and the use of advanced codes, that are being added to Windows SP1 and Windows Server 2008 R2 Service Pack 1. For more information, please visit http://www.microsoft.com/windowsserver2008/en/us/rds-remotefx.aspx

The updates in Windows 7 SP1 include RemoteFX for remote desktop, enabling users to access a rich graphics experience directly from the server.

Windows Embedded Standard 7 SP1 updates

There are several fixes in service pack one and two notable enhancements:

1. PMQ Mapping to Out of Box Drivers. This allows drivers in the out of box drivers folder of the distribution share to be picked up automatically during installation in the same way as in box drivers.
2. SKU Compliance Packages. We received feedback that customers were unsure if they were complying with all the functionality of a particular SKU of the product. For SP1 there are three new packages included in SP1 that can be included when building an image that will only enable the functionality appropriate for the selected SKU. This gives customers confidence that they are complying with the requirements of the SKU. Details on the available SKUs for Windows Embedded Standard 7 are at http://www.microsoft.com/windowsembedded/en-us/products/westandard/component-library.mspx

How do I upgraded to SP1?
There are two ways to upgrade to SP1 for Windows Embedded Standard 7:

• Windows Embedded Standard 7 Toolkit for SP1.
  The set of three ISO files available for download provide an updated toolkit and allow you to build an image that includes all the SP1 updates, and IBW disks that can be used to install SP1 from scratch on target hardware. SP1 Distribution Shares are installed as part of the toolkit ISO and will be added to any existing RTM distribution shares on the development machine.
• SP1 Update CAB
  For existing devices with a Windows Embedded Standard 7 image SP1 .cab files are available that can be applied online to the image using DISM. The update cabs are available for both x86 and x64 architectures and will update the functionality and features already included in the image with SP1 updates. For example, the RemoteFX functionality will only be provided as part of the update if the image includes the Remote Desktop functionality as RemoteFX is an update to Remote Desktop.

How to Provide Feedback

We’d really appreciate feedback on the Technical Preview release of Service Pack 1 for Windows Embedded Standard 7 to enable us to address critical issues in time for the final release of this Service pack. There are two ways to provide feedback:

• Bugs and Specific Issues.
  If you have a specific issue please file a bug report through the Microsoft Connect site at https://connect.microsoft.com/windowsembedded/
• Forums
  We welcome discussion and general feedback on this product. Please use the forum on MSDN at http://social.msdn.microsoft.com/Forums/en-US/quebecmisc/threads and put “SP1” in the subject line.

The team here is very excited to bring you this preview and we look forward to your feedback, both positive and negative!

Thanks,

- Dave

The December 2010 Security Updates are now available on the ECE site for Windows® Embedded Standard 2009 and/or Microsoft® Windows® XP Embedded with Service Pack 2, Feature Pack 2007, Update Rollup 1.0 and Service Pack 3.

The December Security Updates include:

• KB2296199 - Vulnerabilities in the OpenType Font (OTF) Driver Could Allow Remote Code Execution
• KB2416400 - Cumulative Security Update for Internet Explorer
• KB2423089 - Vulnerability in Windows Address Book Could Allow Remote Code Execution
• KB2436673 - Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege
• KB2440591 - Vulnerability in Routing and Remote Access Could Allow Elevation of Privilege
• KB2443105 - Insecure Library Loading in Internet Connection Signup Wizard Could Allow Remote Code Execution
• KB2443685 - December DST Cumulative Update

If you have questions on accessing the ECE, please email MS Mobile & Embedded Communications Feedback & Support, ECE@microsoft.com.

Thanks,

- Lynda

Technorati Tags: XPe,Standard 2009

Windows Embedded Standard is a componentized form of Windows that enables the power of Windows to be adopted on embedded devices. The Windows Embedded Standard toolkit allows embedded developers to create custom images of Windows that are tailored to their needs. With these needs, the quality expectations of the toolkit and the customized images are t presented, and embedded developers using this product anticipate that it will be of high quality standards that meet the needs of their own customers. That’s why enforcing software product quality is taken to be a top priority for the Windows Embedded Standard’s development team. At this team, we follow the same standards and processes that the majority of the teams follow at Microsoft when developing their products, and this document will give a summary of some the main test areas that our product undergoes before releasing.

Test Area Guidelines

In talking about software quality assurance, you can find that many software testing areas exist. Some are functional while others are non-functional, and some examples of the non-functional areas would be the ones which are referred to as the “ilities” by the authors of the book “How We Test Software At Microsoft”, Alan Page, Ken Johnston and BJ Rollison (a few examples are dependability, reusability, testability ….). In the following sections, we present areas of software testing and briefly discuss it while giving pointers to where you can find more information on the topic. These guidelines are heavily used by the Windows Embedded Standard development team, and we recommend that they be followed accordingly and whenever possible by software development teams.

1.1. Accessibility

Accessibility is what empowers users to take full potential of their systems, and for some individuals is what makes the use of a computer possible. Microsoft has been a strong advocate of accessibility, and this is reflected in the vast support that Windows, and other products like office, have provided over the years.

Section 508 of the Rehabilitation Act was enacted to support the idea of having information technology available for people with disabilities, and to encourage the use of new technologies to accomplish this goal. To have a better idea on how Microsoft products addresses accessibility requirements from the Section 508 Standards, you can check out the Voluntary Product Accessibility Template (VPAT) which is a standardized form that shows how a product meet these standard regulations. Microsoft products VPATs are openly shared and can be found at: http://www.microsoft.com/industry/government/products/section508.aspx. Other regulations may apply depending on the product that is to be developed. For example, Section 255 of the Communications Act represents the “Telecommunication Access For People With Disabilities” regulation and should be also taken into consideration when designing a related product.

Although some regulations mandate that data be accessible by people with disabilities, usability is not. However, the general applications in industry shows that usability has become a best practice followed by many developers and tech companies. More information around accessibility can be found at Microsoft’s Accessibility website, and at the Microsoft Accessibility Developer Center.

1.2. Intellectual Property

Protecting intellectual property as well as avoiding related lawsuits is another issue that is to be considered when releasing software. Software patents, with their respective geographies, should be carefully considered by specialized individuals to make sure that the software product to be released is protected and that it doesn’t violate any existing intellectual property that might be owned by a different entity. License term documents provide a way to inform the user on what certain rights, restrictions, and obligations exist in using the software product. While different types of these documents exist, the choice of what type depends on the software product itself.

1.3. Security

Computer security has evolved to become one of the mostly written about topics in the computer software industry. Today, a lot of books can be found that talk about the processes that should be followed to ensure that a software product doesn’t compromise the security of a system that it is installed on. Since the early 1970s, malware such as “Creeper” and “Rabbit” were among the first to find their ways into many computers which led some computer developers to find ways to track and remove the malicious software. “Reaper”, which differed a lot from the antiviruses that exist today, was developed for the sole purpose of tracking and eliminating the “Creeper” worm. Today, both malware and anti-virus software have become so complex in their exploits and algorithms.

Software development cycles have progressed to include accountability for software security as early as in their planning and design phases. Software vulnerabilities range from buffer overflows to code injections and it is highly recommended that software developers are trained to write a more secure code. A simple input validation test might, for example, prevent a buffer overflow attack on a certain code block. Guidelines on how to write secure software, which may be language specific or not, widely exist and they should be followed by software developers to ensure that their code has a relatively high security level. An example guideline is the “Security Guidelines: ASP.NET 2.0” which can be found on Microsoft’s MSDN web site. A more general process guideline which Microsoft has, and which most of the other guidelines stem from, is called the “Security Development Lifecycle” (SDL). The SDL guideline, or a somewhat similar one, is highly recommended and is commonly adopted by many software developers and companies.

One commonly used process in software security is called “Threat Modeling”. The main purpose of this process is to identify software security risks and to and prioritize them according to their impact on the quality of the software product. Writing a secure software product is not an easy process, and what threat modeling does is that it provides the developers with a systematic way to identify the attack surfaces and to account for any risky and costly areas in the code they’re writing. Many approaches of threat modeling are out there. Attacker-centric, software-centric, and asset-centric are few examples on how this modeling process can be done depending on the product being developed, and it’s the development entity’s choice on which approach or combination of approaches to use when designing for security. A good book on this topic is a Microsoft Press book called “Threat Modeling” and is written by Frank Swiderski and Window Snyder.

Fuzz testing is yet one of the used techniques in software security testing. This semi-random testing technique tests how the code reacts to different randomly generated inputs. Examples of inputs would be negative numbers, unexpected data, or even data that might exceed the expect buffer sizes. Although this type of testing has a disadvantage that it randomly selects different data to pass to the code, it usually can detect a lot of bugs that are related to areas such as memory leaks and security threats.

1.4. Privacy

If you’re thinking that privacy assurance is a part of security testing then you are right! However, we , the writers, felt the urge for it to have a special attention in this document emphasizing the fact that privacy has grown to become a significant entity in releasing software. In the past decade, more and more online services have emerged which in their essence focus on the user with respect to personal information and preferences. With this rise in online services comes the significance of user privacy. Critical users’ information has unwantedly been acquired by hackers which have caused legal and business implications. Luckily, Microsoft publishes privacy guidelines which are part of the SDL. It is highly recommended that these guidelines are followed so that the legal risks are diminished and the end-user trust is increased. For example, if a software product or a service gathers user data, then a legal notice should explain to the user what data is being collected and the reasons behind it. Customer’s consent is one of the basic requirements in this case.

1.5. Geopolitical

With the Internet breakthrough, a software that has been developed anywhere in the world may be instantly accessible by any internet connected user around the world. Users with different languages and different cultures may end up using the same product and some phrases or words that might be non-offensive in one part of the world, may turn out to be very offensive in some other parts. When releasing software, it is critical that a scan is done on the included data to ensure that any wording cannot be mistakenly comprehended as offensive. Many software companies which develop their software in different languages do have advisors who are local to the area in which the software is to be published. Checking for sensitive data before releasing a software product helps in building a trustworthy image, lowering legal implications and even product bans and boycotts.

Sensitive data is not limited to offensive material (which might include phases, terms, icons, flags, etc. … ) only, some other types of data like credit card numbers, social security numbers, or even any internal company information that shouldn’t be disclosed to the outside world should be scanned for. There are some tools out there that can be used for the purpose of sensitive-data scanning, and most of them have special term database that they compare the data against and try to flag any suspicious data. A lot of false positives may be generated from such tools; however, some of them do have the ability to adapt and learn from their users which helps in minimizing the false positives numbers. A huge advantage of using such tools is the speed at which such tools can scan. An example of such tools is “Spider” which is an open-source tool that is developed by Cornell University.

1.6. Software Integrity

A wide range of technologies can be used to achieve software integrity in the product. As a first step towards that goal, it is the software development entity’s responsibility to ensure that the software is virus and malware free. Specialized 3^rd party companies have come up with some of the best tools known for capturing any suspicious virus or malware that might be embedded into a software product, and using such tools provides more confidence that the product is safe. Another issue that comes to mind when talking about software integrity is the authentication. With the help of code signing and certificate generation, a software entity can provide a level of trust for its users worldwide. Microsoft provides the tools and guidelines on how to use code signing in a software product.

1.7. Powerful Tools

Many of the tools needed to accomplish the tasks described above are available as part of the Windows SDK, DDK or Visual Studio product suite, and below we describe a few of them.

Beginning with Visual Studio 2005, the compiler would issue C4996 warnings if any C runtime library functions were used that were known to be vulernable to buffer overruns (i.e. “banned” APIs). By strategically inserting a “#pragma warning (error: C4996)” in your header files, see below, you can pretty much guarantee that none of these functions are accidentally used in your code.

#include "stdafx.h"

#include "string.h"

#pragma warning (error : 4996)

int _tmain(int argc, _TCHAR* argv[])

{

char a[] = "A String";

char b[256];

strcpy(b, a);

return 0;

}

The compiler also allows for runtime buffer security checking with the “/GS” compiler switch. This can also be set via the UI on the project properties page (Code Generation).

Another example is that the “enterprise” versions of the C++ compiler support the “/analyze” switch. This switch enables the “PREFast” C++ code analyzer. For managed code applications, the FxCopy tool provides a similar functionality.

Conclusion

Meeting the customer’s needs in any software product is a big challenge. While different software products may have different set of quality requirements, having a set of standardized guidelines represents one of the key main points in tackling the problem of enforcing software quality. As it is said, “quality is never an accident” and attaining a high level of it can’t be successfully done without good execution strategy which goes alongside good planning.

-Sami, Jim and Jeff

We’re excited to announce the release of another PowerToy to aid in Windows Embedded Standard 7 development: CBS Package Inspector.  CBS Package Inspector allows for the opening up and inspecting of CBS (Component-Based Servicing) packages, so the manifests can be viewed or examined as needed.  Information contained in these manifests include the components inside the package(s), as well as any registry keys, dependencies, or settings, among other pieces of information.  So what does that mean?  Why would this be useful?  Here are some scenarios that CBS Package Inspector has been quite useful for us:

1. Expanding a QFE (hotfix) package released by Microsoft to see its contents.  It cannot be opened like a zip or rar file because it is compressed in a different manner.
2. Provides a consolidated and single view of what files and registry keys are inside one package, something that could previously only be easily done at component level.
3. For packages that contain other packages, this may not always be detected by tools.  CBS Package Inspector allows you to go through each and every package.

To learn more about CBS Package Inspector and to download and use it, please visit the Package Inspector Code Gallery page.

If you’re interested in our previous PowerToy, Package Mapper, please visit this page.

- JT

Happy New Year!

I’d like to take a moment of your time to reflect on the previous year and look ahead to the next year.

By far the biggest thing coming from the Windows Embedded Standard team was the release of Windows Embedded Standard 7.

After several years of development the product group released what is tracking to be our most popular version of the Standard platform yet. No doubt its popularity is partially related to the fact it’s based on Windows 7 technologies, Windows 7 OS is very popular today and we’re benefiting by making it available to you as part of our platform. There are some other, non-intuitive reasons for its success

We made a few bets that turned out to be right on like Imaged Based Wizard (IBW). I’ve talked to a lot of partners in the latter half of the year including at the EMEA Windows Embedded Channel & Partner Summit at Prague. The feedback around IBW has been very positive, so it’s good to see something new in our Developer story really pay off.

Other reasons for the platform’s success are the quality is better than any other embedded platform we’ve shipped based on Windows Client, it also appears we’re hitting close to the sweet spot in granularity of components vs. complexity created by too many components: WES7 has ~150 components vs. WES2009 which has ~10k components.

Not everything was perfect in WES7, there were some things we implemented in Standard 7 where we are receiving a lot of good, constructive feedback to further improve on for future releases. For instance, for the first time in our platform we implemented a tiered  sku’ing method (e.g., WS7C sku, WS7P sku, WS7E sku), it appears we could do a little better in preparing and educating our partners as well as in our implementation of the tiers.

Besides shipping Standard 7, we also released quite a few other features for our new and older platforms like XP Embedded and Standard 2009. For instance, the updated version of Silverlight and the new Remote Desktop Connection 7, or Powershell 2.0 and Web Services on Devices.  Then there was the release of Windows Embedded Developer Update (WEDU) to improve the developer experiences with our platform.

As you can see, the overall focus for our group in 2010 was to ship a high quality embedded platform based on Windows 7 and also continue to keep the previous platforms fresh since we know some of you will continue to develop on Standard 2009.

For 2011 we have more exciting things going on like Service Pack1 for WES7. And then there’s the Consumer Media Devices sku which was recently shown at CES to a lot of positive feedback with lots of demos from partners showcasing their Televisions and Set Top Boxes on our platform. And the next version of PosReady based on Windows 7 features was announced this week at the NRF convention, you can download POSReady 7 community build and try it out yourself.

There’s lots more happening in the team beyond that but we’ll have to keep our lips sealed until we’re ready to discuss plans around vNext, we think you’ll be pleasantly surprised.

In the meantime please do communicate with us in the Forums and here on the blog, we welcome constructive feedback. We hope you have a healthy and productive and prosperous year.

- Andy

* Updated 1/27/11 - This KB solution is comprised of the following KB update package: KB2419632.*

The January 2011 Security Updates are now available on the ECE site for Windows® Embedded Standard 2009 and/or Microsoft® Windows® XP Embedded with Service Pack 2, Feature Pack 2007, Update Rollup 1.0 and Service Pack 3.

The January Security Updates include:

• KB2451910 - Vulnerabilities in Microsoft Data Access Components Could Allow Remote Code Execution

This update can be applied to runtime images and will be componentized in next month’s security release. This release also includes the cumulative componentized updates from December 2010.

If you have questions on accessing the ECE, please email MS Mobile & Embedded Communications Feedback & Support, ECE@microsoft.com.

Thanks,

- Lynda

Technorati Tags: XPe,Standard 2009

The January 2011 Optional Updates are now available on the ECE site for Windows® Embedded Standard 2009 and/or Microsoft® Windows® XP Embedded with Service Pack 2, Feature Pack 2007, Update Rollup 1.0 and Service Pack 3.

The January Optional Updates include:

• KB2393911 – This update fixes the following issue

  • Using Enhanced Write Filter, a bugcheck may occur when the command is used with EWF RAM mode (or RAMREG mode) and EWF optimization is set to non-default values.

• KB2487305 – This update fixes the following issue

  • Registry Filter may not start successfully due to timing issues affecting the availability of its ramdisk volume on an Embedded system.

These updates can be applied to the component database.

If you have questions on accessing the ECE, please email MS Mobile & Embedded Communications Feedback & Support, ECE@microsoft.com.

Thanks,

- Lynda

Technorati Tags: XPe,Standard 2009