Update rollup for POODLE attack against TLS security vulnerability in Windows Embedded CE 6.0 R3 (December 2015)

Issues that are fixed in this update

An update rollup is available for Windows Embedded CE 6.0 R3. This update rollup fixes the security issues that are described in the following article in the Microsoft Knowledge Base:
  • 2655992 MS12-049: Vulnerability in TLS could allow information disclosure: July 10, 2012

Additionally, this update rollup fixes the following issue:
  • Assume that you have a Windows Embedded CE 6.0 R3 device with web server support. When you use SSL test Labs tool to test security vulnerability, the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack against TLS security vulnerability is detected.

Resolution

Software update information

A supported software update is now available from Microsoft as Windows Embedded CE 6.0 Monthly Update December 2015. In the "Installer files" subsection of the "File information" section, the package file name contains the product version, the date, the Microsoft Knowledge Base article number, and the processor type. The package file name format is as follows:
Product version-yymmdd-kbnnnnnn-processor type
For example, Wincepb60-110128-kb2492159-armv4i.msi is the ARMV4i Windows Embedded CE 6.0 Platform Builder fix that is documented in Knowledge Base article 2492159 and that is contained in the January 2011 monthly update.

Note This Windows Embedded CE 6.0 monthly update is available for download from the following Microsoft Download Center website:

Prerequisites

This update is supported only if all previous updates for this product are installed.

Registry information

Important
Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.


After you apply this update, to be safe from POODLE SSL 3.0 attacks, you have to disable the SSL 3.0 protocol as it's a protocol wide vulnerability and not specific to Microsoft specific implementation.

  • If the device is acting as a client, SSL 3.0 can be disabled as follows:
    1. In Internet Explorer Options, clear the Use SSL 3.0 check box on the Advanced tab. Then, exit and restart Internet Explorer for this change to take effect.
    2. Set the following registry settings on the client:
      Registry location: HKEY_LOCAL_MACHINE\Comm\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client
      DWORD name: Enabled
      DWORD value: 0
  • If the device is acting as a server, SSL 3.0 can be disabled by setting the following registry key on the server:
    Registry location: HKEY_LOCAL_MACHINE\Comm\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
    DWORD name: Enabled
    DWORD value: 0

Restart requirement

After you apply this update, you must perform a clean build of the whole platform. To do this, use one of the following methods:
  • On the Build menu, click Clean Solution, and then click Build Solution.
  • On the Build menu, click Rebuild Solution.
You don't have to restart the computer after you apply this software update.

Update replacement information

This update doesn't replace any other updates.
File information

References

Learn about the terminology that Microsoft uses to describe software updates.
Properties

Article ID: 3032322 - Last Review: Jan 21, 2016 - Revision: 1

Windows Embedded CE 6.0 R3

Feedback