Security firm Airscanner has disclosed details of two possible vulnerabilities on Spb Kiosk Engine. The software is used by enterprise clients to lockdown Windows Mobile Pocket PC devices.

The Spb Kiosk Engine allows users to run custom applications in kiosk mode. In this mode, the target applications are the only ones that can be used on a specific Pocket PC device.

In one of the advisories, Airscanner warns users that despite the device lockdown, it is still possible to execute programs via 'features' of the running application (eg. Pocket Word will execute programs via hyperlink). In addition, autorun is still enabled on the devices, which allows anyone with a SD Card or CF card to execute their own code on the device.

Administrators should disable autorun on the device by placing an autorun.exe file in the \windows directory with read-only options.

Another vulnerability is related to how the software stores an administrator's password on the device.

Advisories can be found here and here.