Microsoft, Security, Tools, Windows

Microsoft XML code vulnerable on many computers

Leave a comment

A recent report from Secunia (PDF) highlights the unfortunate hole into which some versions of the Microsoft XML parser library have fallen.

Numerous versions of this library are available for Windows, and any or all of them can be installed at the same time on Windows PCs. Some versions are no longer supported by Microsoft, and updates for those older versions won’t appear in Windows Update.

Because of this, many Windows PCs contain versions of this library that have security vulnerabilities.

Microsoft’s documentation on the XML library is confusing and incomplete. For what it’s worth, here are a couple of links to said documentation:

We recommend installing and running Secunia’s PSI, which scans for out of date software, including Microsoft’s XML libraries. PSI also helpfully provides links to download any missing updates.

Update 2014Jul30: A reader pointed out that getting MSXML4 up to date is not a simple task. Here’s what you need to know:

  • The most up to date MSXML4 is a patched version of MSXML4 SP3, specifically 4.30.2117.0.
  • Windows Update won’t offer newer updates for MSXML4 if the version on your computer is SP2. This is the basic problem pointed out by Secunia.
  • To get the most recent MSXML4 on your computer, you have to manually download and install MSXML4 SP3, then run Windows Update, which should show this update: Security Update for Microsoft XML Core Services 4.0 Service Pack 3 (KB2758694). Once you install that update, you should be running MSXML4 SP3 version 4.30.2117.0.
  • Even after you’re running the most recent version of MSXML4, Secunia PSI will tell you it needs to be updated. That’s because Secunia has decided to report MSXML4 as ‘end-of-life’ (which it is) and direct users to MSXML6 instead. There are two problems with this: first, installing MSXML6 will not remove any earlier versions, including MSXML4; second, Microsoft recommends leaving MSXML4 in place as long as it’s up to date. The upshot is that unless you manually remove all remnants of MSXML4, PSI will keep telling you to install MSXML6, even if it’s already installed.

Further reading:

About jrivett

Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

View all posts by jrivett | Website

Leave a Reply

Your email address will not be published. Required fields are marked *