Access Violations on Windows CE are not Security Issues (if you’re Microsoft)
Time for the next installment in my enthralling series on ‘Watching Microsoft Patch Windows CE’ and remember kids:
There are currently no reported security vulnerabilities for Windows CE
In my previous entry on this subject  I covered up untilFebruary’s updates for Windows CE 5 (the base to Windows Mobile 5 and6) so I’ll start logically with March’s [3 Below is my commentary foreach of the fixes I feel has a security impact.
• 070310_KB934175 – Numerous bugs in the .NET 2.0 compactframework; some of the exceptions / access violation occur in nativecode.
• 070320_KB933434 – Remote denial of service condition in RNDIS
• 070320_KB933680 – This issue discusses how Internet Explorer willcrash when it receives a certain response for a web server. The updatepatches WININET.DLL – as we all know a crash is a pretty goodindication of something worth investigating which may yield arbitrarycode execution.
Moving on to April :
• 070418_KB935825 – An exception in MSHTML when viewing certain web sites
• 070430_KB936001 – In certain situation an access violation canoccur when accessing a website over SSL. This update applies toWININET.DLL again.
Aside from this I had a quick peek at Windows CE (sorry Embedded) 6– while not the base of any Windows Mobile family yet but I thought I’dhave a quick look anyway for comparison (I’m sooooo scientific I tellya!). Anyway this caught my eye in the March  update.
• 070320_KB933679 - This update addresses an error that mayoccur when handling some HTTP responces (sic). Anyway if you follow theKB link you get more details, Windows Internet Explorer may crash whenit receives a large string value for the Content-Type field on aWindows Embedded CE 6.0-based device. Now raise your hand if thatsounds like a typical overflow… the affected component… WININET.DLLagain!
In addition to this rash of potential vulnerabilities, I’m alsoaware of a number of other researchers ramping up their capability andinterest into Windows CE/Mobile 5/6. I suspect it’ll be an interestingtime for Microsoft when people start pumping out file formatvulnerabilities akin to the desktop targeting Windows Mobile…
 http://msdn2.microsoft.com/en-us/embedded/aa714508.aspx">Windows CE Critical Updates
 The Elephant is Still Under the Carpet (err... I mean PDA)
 Windows CE 5.0 Update 070331_2007M03
 Windows CE 5.0 Update 070430_2007M04
 Windows Embedded CE 6.0 Update 070331_2007M03