Forum Thread: Microsoft Core XML Services (MSXML) 4.X

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Microsoft
And, this specific program:
Microsoft XML Core Services (MSXML) 4.x

This thread has been marked as locked.
krw Microsoft Core XML Services (MSXML) 4.X
Member 15th Jul, 2014 15:34
Ranking: 0
Posts: 9
User Since: 5th Jul, 2009
System Score: N/A
Location: N/A
Last edited on 15th Jul, 2014 15:35

Microsoft Core XML Services (MSXML) 4.30.2117.0 shows as "End-of-Life" in PSI 2.0.0.2003. According to this forum, that version is current. Is there a newer version or is this an issue with PSI version 2? I have no interest in PSI version 3 which does not allow users to control auto updating... Please respond and thanks...

Windows 7 64-bit

Krw

SpywareDr RE: Microsoft Core XML Services (MSXML) 4.X
Member 15th Jul, 2014 16:12
Score: 0
Posts: 1
User Since: 6th Dec 2013
System Score: N/A
Location: N/A
Just received the same PSI 2.0 "End-of-Life" error here on Windows 7 Ultimate 64-bit with all updates (except Bing). The purported problem file is:

Microsoft XML Core Services (MSXML) 4.x
C:\Windows\SysWOW64\msxml4.dll, version 4.30.2117.0

Clicked the "Microsoft Update" at the end of that line in PSI which led to the following Microsoft page:

http://www.microsoft.com/en-us/download/details.as...

Clicked the Download button there, selectecd "msxml6_x64.msi", downloaded and installed it and got a "Setup has installed MSXML 6.0 Parser successfully. Click finish to exit." window. Clicked Finish, rebooted, rescanned with PSI and got the same "End-of-Life" error on "C:\Windows\SysWOW64\msxml4.dll, version 4.30.2117.0" again.

Did a normal (re)"Check for Updates" in Windows Update and am getting the normal "Windows is up to date" . . . which leads me to believe PSI may well be mistaken.
Was this reply relevant?
+0
-0
ddmarshall RE: Microsoft Core XML Services (MSXML) 4.X
Dedicated Contributor 15th Jul, 2014 16:57
Score: 1250
Posts: 992
User Since: 8th Nov 2008
System Score: N/A
Location: UK
Secunia should not be directing anybody to the Microsoft Download Center to install MSXML 6.0.

MSXML 6.0 has been a built-in component of the Operating System since Windows XP SP3. The download is intended for prior systems.
(Source: http://msdn.microsoft.com/en-us/library/jj152146(v=vs.85).aspx)

I don't know if installing the download would cause any damage but each subsequent version of Windows has a copy of msxml6.dll with a different file version and size.

--
Was this reply relevant?
+4
-0
mari87 RE: Microsoft Core XML Services (MSXML) 4.X
Member 15th Jul, 2014 20:37
Score: 4
Posts: 6
User Since: 12th Jan 2012
System Score: N/A
Location: US
on 15th Jul, 2014 16:57, ddmarshall wrote:
Secunia should not be directing anybody to the Microsoft Download Center to install MSXML 6.0.

MSXML 6.0 has been a built-in component of the Operating System since Windows XP SP3. The download is intended for prior systems.
(Source: http://msdn.microsoft.com/en-us/library/jj152146(v=vs.85).aspx)

I don't know if installing the download would cause any damage but each subsequent version of Windows has a copy of msxml6.dll with a different file version and size.



I too just clicked on the link in Secunia PSI 2.0 for the MSXML 4.x end-of-life and it most certainly does take you to the MS page to download version 6. I am not going to do anything, just sit tight to see if Secunia corrects this. I do not see any reason to remove 4.x and I fear doing so will really mess up my system. I am not going to spend hours/days reinstalling Windows 7 and all my programs just because Secunia told me to uninstall something that can stay.
Was this reply relevant?
+2
-0
julio991 RE: Microsoft Core XML Services (MSXML) 4.X
Member 15th Jul, 2014 20:50
Score: 1
Posts: 23
User Since: 7th Mar 2010
System Score: N/A
Location: CA
I have the same end of life warning on Windows 7 x64. When I go to the download page it shows :Microsoft Core XML Services (MSXML) 6.0, but there are 4 downloads to choose from under that. What am I supposed to do about this and if any, which one am I supposed to download for my system to replace the end of life?
Was this reply relevant?
+0
-0
ddmarshall RE: Microsoft Core XML Services (MSXML) 4.X
Dedicated Contributor 16th Jul, 2014 02:44
Score: 1250
Posts: 992
User Since: 8th Nov 2008
System Score: N/A
Location: UK
Don't download any of them.

This download dates from 2006.

Look at the system requirements. It only applies to Windows before XP SP3. Windows since XP SP3 contains MSXML 6.0 as part of the OS
.
MSXML 6.0 is not a replacement for MSXML 4.0. Installing it will not uninstall MSXML 4.0.

MSXML 6.0 has had security updates this year. If you did install this download it would possibly overwrite the Windows 7 version. It is not obvious how you would recover from that.

--
Was this reply relevant?
+5
-0
julio991 RE: Microsoft Core XML Services (MSXML) 4.X
Member 16th Jul, 2014 02:53
Score: 1
Posts: 23
User Since: 7th Mar 2010
System Score: N/A
Location: CA
I understand that, but is Secunia going to fix it so we don't have the "End of Life" notification or is it all about just putting in "ignore".?? This question is strictly for purposes of updating the application.
Was this reply relevant?
+1
-0
ManFromOz RE: Microsoft Core XML Services (MSXML) 4.X
Member 16th Jul, 2014 02:54
Score: 17
Posts: 107
User Since: 6th Jun 2012
System Score: N/A
Location: AU
on 16th Jul, 2014 02:44, ddmarshall wrote:
Don't download any of them.

This download dates from 2006.

Look at the system requirements. It only applies to Windows before XP SP3. Windows since XP SP3 contains MSXML 6.0 as part of the OS
.
MSXML 6.0 is not a replacement for MSXML 4.0. Installing it will not uninstall MSXML 4.0.

MSXML 6.0 has had security updates this year. If you did install this download it would possibly overwrite the Windows 7 version. It is not obvious how you would recover from that.


Great warning. Thanks!
Was this reply relevant?
+0
-1
ParzivalRM RE: Microsoft Core XML Services (MSXML) 4.X
Member 16th Jul, 2014 04:32
Score: 13
Posts: 42
User Since: 15th May 2010
System Score: N/A
Location: AU
I'm not happy at all about this, because it seems that by following Secunia's advice, I have put my system at risk. (I am running Windows 7 Professional)

* I too received the "End-of-life" notification for Microsoft XML Core Services (MSXML) 4.x a few days ago, with a whopping big threat rating.
* I downloaded the Microsoft Update that was offered. There were four files --- one didn't work, but the other three did. They flashed through to completed almost immediately, however, so it was clear that they hadn't done much.
* I rescanned --- no change.

Now, a few days later, I find this present thread on the Forum, warning me that I could damage my system if I download and install the very update that Secunia offers me!!!
- - - - - - - -

TWO QUESTIONS:
FIrst, I only have Secunia installed in order to keep my system safe, but now it seems that Secunia has advised me to do something that could have damaged my system. This is not good.
* Is Secunia going to fix this?
* Is Secunia going to repeat this sort of dangerous advice with other software?

Secondly, what is the situation with MSXML 4.0?
* Is it insecure?
* If so, what do we do about it?
Was this reply relevant?
+1
-1
ddmarshall RE: Microsoft Core XML Services (MSXML) 4.X
Dedicated Contributor 16th Jul, 2014 09:56
Score: 1250
Posts: 992
User Since: 8th Nov 2008
System Score: N/A
Location: UK
I suspect this has come about because of an update to MSXML 3.0 and MSXML 6.0 in June.
https://technet.microsoft.com/en-us/library/securi...
This fixes a minor information disclosure vulnerability.

The security bulletin refers to MSXML 3.0, 5.0 and 6.0. The lack of any mention of MSXML 4.0 suggests that Microsoft have abandoned it.

To check if installing MSXML 6.0 from the download has replaced the Windows 7 versions, check the Properties details on msxml6.dll in C:\Windows\System32 and C:\Windows\SysWOW64 (for 64bit systems). It should be version starting with 6.30.7601 and date modified in March 2014.

If the wrong version of msxml6.dll is present, running the System File Checker may restore the correct version.
See: http://support.microsoft.com/kb/929833
This depends on msxml6.dll being a protected system file.

--
Was this reply relevant?
+3
-0
ManFromOz RE: Microsoft Core XML Services (MSXML) 4.X
Member 16th Jul, 2014 10:15
Score: 17
Posts: 107
User Since: 6th Jun 2012
System Score: N/A
Location: AU
This shows that msxml 4.0 sp3 is still supported by Microsoft.

http://msdn.microsoft.com/en-us/library/jj152146%2...

"Currently in maintenance mode; superseded by MSXML 6.0 and intended only to support legacy applications. Customers may upgrade their applications that use MSXML 4.0 to use MSXML 6.0 instead."

I don't know how old that article is though.
Was this reply relevant?
+0
-0
J.Vemmer RE: Microsoft Core XML Services (MSXML) 4.X
Secunia Official 16th Jul, 2014 10:20
Score: 5
Posts: 20
User Since: 5th Oct 2011
System Score: N/A
Location: Copenhagen, DK
Hi,

Microsoft has announced that the widely used Microsoft XML Core Services (MSXML) 4.x has reached the end of its lifecycle. The announcement was made back in 2013 (http://support.microsoft.com/gp/msxmlannounce), stating that April 12th 2014 was the EOL date. This is further supported by the official Microsoft Lifecycle Policy found here: http://support.microsoft.com/lifecycle/search/defa...

As a result, all versions of Microsoft XML Core Services (MSXML) 4.x will correctly be flagged as EOL by the Secunia products, recommending an upgrade to Microsoft XML Core Services (MSXML) 6.x, as stated in the Microsoft announcement.

--
Kind regards,

Jais Vemmer
xSI Signatures Specialist
portugalpete RE: Microsoft Core XML Services (MSXML) 4.X
Member 16th Jul, 2014 11:01
Score: 1
Posts: 3
User Since: 6th Apr 2011
System Score: N/A
Location: PT
OK, so Secunia are saying v6 should be installed because 4x is no longer supported by MS. I installed all the v6 updates 2 days ago - as per Secunia's instructions. But why does Secunia still showing the vulnerability after installing v6 and then rebooting? It appears that something may be missing from the Secunia instructions. Please advise.
Was this reply relevant?
+1
-0
ddmarshall RE: Microsoft Core XML Services (MSXML) 4.X
Dedicated Contributor 16th Jul, 2014 11:10
Score: 1250
Posts: 992
User Since: 8th Nov 2008
System Score: N/A
Location: UK
Thanks for the update.

The point is that sending users to the download for MSXML 6.0 from 2006 which is intended for versions of Windows prior to XP SP3 is wrong.

The advice to update to MSXML 6.0 is intended for developers. They should rebuild their applications to target MSXML 6.0 and redistribute them.
End users with applications build to target MSXML 4.0 cannot simply remove MSXML 4.0 and expect the applications to continue working with the built in MSXML 6.0 present in all currently supported version of Windows.

--
Was this reply relevant?
+3
-0
mari87 RE: Microsoft Core XML Services (MSXML) 4.X
Member 16th Jul, 2014 13:58
Score: 4
Posts: 6
User Since: 12th Jan 2012
System Score: N/A
Location: US
on 16th Jul, 2014 10:20, J.Vemmer wrote:
Hi,

Microsoft has announced that the widely used Microsoft XML Core Services (MSXML) 4.x has reached the end of its lifecycle. The announcement was made back in 2013 (http://support.microsoft.com/gp/msxmlannounce), stating that April 12th 2014 was the EOL date. This is further supported by the official Microsoft Lifecycle Policy found here: http://support.microsoft.com/lifecycle/search/defa...

As a result, all versions of Microsoft XML Core Services (MSXML) 4.x will correctly be flagged as EOL by the Secunia products, recommending an upgrade to Microsoft XML Core Services (MSXML) 6.x, as stated in the Microsoft announcement.



Excuse me, Secunia, but that does not answer our questions. If Windows 7 already HAS the current msxml6.dll file, then why are you directing us (within PSI) to download 6 to replace 4?
And tell us, if it was EOL in April, why are just now seeing the EOL in PSI in JULY? If MSXML is only for developers, then why do we even have it if we are not developers? What is the harm in leaving it on our systems?

This is similar to the dozens of times that Chrome has renamed its old file with "old" and PSI thinks it is still a working exe file, ignores any new file and flags for an update that was already done!

Windows XP is no longer supported and at EOL also. I no longer use my old laptop that has Windows XP so can not check PSI on it, but are users with it supposed to remove XP too? Seriously.

A lot of PSI users rely on it to guide them when they are not computer gurus, but in this case, Secunia seems to be leading some of these people astray. Please give us more direction to follow that will not harm anyone's systems.
Was this reply relevant?
+2
-0
ParzivalRM RE: Microsoft Core XML Services (MSXML) 4.X
Member 17th Jul, 2014 02:53
Score: 13
Posts: 42
User Since: 15th May 2010
System Score: N/A
Location: AU
Was this reply relevant?
+1
-0
Speedwagon RE: Microsoft Core XML Services (MSXML) 4.X
Member 18th Jul, 2014 02:50
Score: 0
Posts: 1
User Since: 18th Jul 2014
System Score: N/A
Location: US
I just followed the suggested link to the Microsoft Download Center for Microsoft Core XML Services (MSXML) 6.0 . The first thing I did was look at the System Requirements. It is calling for updates to Windows 2000 Service Pack 4, Windows Server 2003, Windows Server 2003 Service Pack 1, Windows XP Service Pack 1, Windows XP Service Pack 2 .

I an running Windows Vista, and have absolutely NO INTENTION of damaging my system by running this download.

Until I get proper notification through Windows Update of the proper version of this software for MY OPERATING SYSTEM, I'm afraid I'm just going to have to ignore this warning, unless somebody can point me in the right direction for software that will properly update MY OPERATING SYSTEM, which is Windows Vista 32-bit.
Was this reply relevant?
+0
-0
buzzedsaw RE: Microsoft Core XML Services (MSXML) 4.X
Member 18th Jul, 2014 03:34
Score: 1
Posts: 1
User Since: 10th Mar 2011
System Score: N/A
Location: US
Last edited on 18th Jul, 2014 03:36
I'm running Windows 7 Home Premium, Service Pack 1.

I uninstalled the MSXML 4.0 related packages in Add/Remove programs, manually removed the DLL file that had been triggering the Secunia alert, ran Windows Update, finding no new packages to install. System is running fine, Secunia recognized the removal of the DLL file, showing 100% patched.
Was this reply relevant?
+1
-0
mccoady RE: Microsoft Core XML Services (MSXML) 4.X
Member 18th Jul, 2014 16:45
Score: 0
Posts: 2
User Since: 26th Sep 2009
System Score: N/A
Location: N/A
Last edited on 18th Jul, 2014 16:57
Never mind just saw other post http://secunia.com/community/forum/thread/show/150...
Was this reply relevant?
+0
-0
inahut RE: Microsoft Core XML Services (MSXML) 4.X
Member 19th Jul, 2014 19:07
Score: 9
Posts: 12
User Since: 19th Jul 2014
System Score: N/A
Location: US
I have researched this problem on my own
I have examined the information MS provides about differing versions of MSXML
Just to offer my previous post in a related MSXML thread:

MS shows the differing versions are not directly incompatable
MS recommends installation of newest version
Newest version is 6.0
When one finds its exact location within the Windows directory one can see the versions listed in order, in my case as msxml3...4...6
The installation date I find for my msmxml6.dll and msxml6r.dll is 3-26-2014, as a result of MS update itself
I find the information provided by Maurice Joyce in this thread and in the thread titled "MSXML" to be more accurate than any information provided by Secunia voices
My research shows that Maurice Joyce in describing this problem in terms used by MS itself without leaving out any important variable or factor
In these two threads the voices representative of Secunia are not reproducing the information provided by MS in a completely accurate way.
I have followed the links and read the information to the best of my abiltiy
When I encountered Maurice Joyce's synthesis of the information it rang true and help me see the error being produced by Secunia PSI is incorrect, erroneous and at this point in time it is quite aggravating.
Was this reply relevant?
+0
-0
julio991 RE: Microsoft Core XML Services (MSXML) 4.X
Member 19th Jul, 2014 21:47
Score: 1
Posts: 23
User Since: 7th Mar 2010
System Score: N/A
Location: CA
I have gone through all the posting and researching through Google and Microsoft and to tell you the truth I have accomplished exactly nothing by reading all the posts. I understand the MSXML 4 being end of life and if it is fine, but doesn't Microsoft usually update these through Windows Update? Why is Secunia routing me to a download page for MSXML 6, but they don't tell me which is appropriate for my system. Also what am I supposed to do with the file they are claiming is "EOL"? I ran a backup just in case and created a restore point and then went and deleted the MSXML 4 file or .dll and uninstalled it with Revo and rebooted. After that my system acted bad. IE 11 started and instantly disappeared off the screen. I had pop ups of programs running in my tray on the screen. I guess what I'm getting at is my machine was broke. I restored the .dll of MSXML 4 and ran the restore of my backup and everything is back to normal. I just used an ignore rule for this EOL MSXML 4 and left it at that. Until someone in the real know decides on what to do about this whole screwed up situation I'm just leaving as is and letting the ignore rule stand until Windows updates this MSXML 4 to MSXML 6.
Was this reply relevant?
+0
-0
L1NGUS RE: Microsoft Core XML Services (MSXML) 4.X
Member 21st Jul, 2014 22:27
Score:
Posts: 34
User Since: 25th Nov 2008
System Score: N/A
Location: US
HEY!

SECUNIA!

PULL YOUR HEADS OUT OF YOUR ASSES AND ADDRESS THIS SITUATION!

SUPPLY A CLEAR ANSWER!



--
PC/Android 4 Life
Was this reply relevant?
+7
-0

This thread has been marked as locked.