An update that introduces the Media Transfer Protocol (MTP) Responder component for Windows Embedded CE 6.0 R3 is available. This component does not support media synchronization. However, it provides basic MTP functionality for devices. This enables the devices to be compatible with the Device Stage feature in Windows 7.
When the device connects to a computer that is running Windows 7 through USB or TCP/IP, the MTP Responder component improves the user experience. The MTP Responder component includes storage for MTP files and folders on a Windows Embedded CE 6.0 R3-based device. This enables the user to browse and manage files on the device in addition to transferring files between the device and the computer.
By using an MTP extension, the user can change and extend the MTP Responder component to support additional commands, operations, properties, and object formats. These additions are not included with the MTP specification.
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
This update is supported only if all previously issued updates for this product have also been installed.
After you apply this update, you must perform a clean build of the whole platform. To do this, use one of the following methods:
On the Build menu, click Clean, and then click Build Platform.
On the Build menu, click Rebuild Platform.
You do not have to restart the computer after you apply this software update.
Update replacement information
This update does not replace any other updates.
The English version of this software update package has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
The update adds the following registry keys in Windows Embedded CE 6.0 R3:
As an OEM developer, you must understand the following potential security threats when you create devices that use the MTP Responder component. To prevent these threats, check the recommendations at the end of each paragraph.
Information disclosure threat
Users should be warned not to store Personally Identifiable Information (PII) on their device. An attacker may use the IP network to copy the information from the device without the user’s acknowledgement. To help protect device users, we recommend that you include a warning in the user documentation stating that users should not store PII on a device.
There is no trust relationship between a device that works as an MTP Responder and the MTP Initiator that is connected to this device. This could lead to a spoofing attack on the device. For example, an MTP Initiator could identify itself as a common default name for a home network, such as 'linksys'. Meanwhile, the network can be used to obtain sensitive data from the device. The network can also be taken over to start a denial of service attack on another computer. To help reduce this risk, we recommend that you include a warning in the user documentation that resembles the following statement:
Make sure that your home network is password protected and only connect your device to public networks that are trusted.
Closed box assumption
If you ship a closed box solution for a device that uses MTP, MTP initiators can still copy data on and off the device. In order to help reduce the security risk of copying malware to the device, you should implement code signing. Code signing makes sure that only trusted code runs on the device. For more information about code signing, visit the following Microsoft Developer Network (MSDN) Web site:
Note A closed box solution does not allow third-party applications or modules to be loaded on the system.
MTP over IP
By default, MTP over IP is enabled. This means that MTP Initiators can connect to a device that uses MTP. However, this makes MTP over IP sessions vulnerable to security threats such as spoofing, information disclosure, and denial of service. To help prevent these security threats, we recommend that you create a mechanism that lets the user accept each MTP over IP session. Or, you can create a mechanism that lets the user keep IP connections off until the user wants to connect. For more information about the MTP Device Services Extension specification, download the file from the following Microsoft Web site: