Forum Thread: 2 or more Windows Updates released and XML Core Service still not...

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
jckinnick 2 or more Windows Updates released and XML Core Service still not fixed
Member 11th Dec, 2014 07:43
Ranking: 6
Posts: 191
User Since: 21st May, 2010
System Score: 100%
Location: US
When are they going to fix this?

Maurice Joyce RE: 2 or more Windows Updates released and XML Core Service still not fixed
Handling Contributor 11th Dec, 2014 15:52
Score: 12287
Posts: 9,543
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Not too sure I understand your question.

MSXML 3 & 6 are up to date & fully patched & should clearly show that way after any full PSI scan.

The last patch was to MSXML 3 on 11 Nov 2014 under KB2993958. http://support.microsoft.com/kb/2993958

MSXML 5 only affects those using Microsoft Office 2007 & does not show.

These are the only versions of MSXML Supported by Microsoft.

Have you got an issue with 3 or 6?

Are you by chance referring to MSXML 4? If so that version is OBSOLETE and has been since April 2014. It will NEVER be updated. Users who require it to run equally obsolete programmes do so at their own risk.

--
Maurice

Microsoft Surface 4 Intel i7 64Bit
Windows 10 Pro version 1709 (Creators Update) Build 16299.19
16 GB RAM
IE & Edge Only
Was this reply relevant?
+3
-0
jckinnick RE: 2 or more Windows Updates released and XML Core Service still not fixed
Member 12th Dec, 2014 00:30
Score: 6
Posts: 191
User Since: 21st May 2010
System Score: 100%
Location: US
on 11th Dec, 2014 15:52, Maurice Joyce wrote:
Not too sure I understand your question.

MSXML 3 & 6 are up to date & fully patched & should clearly show that way after any full PSI scan.

The last patch was to MSXML 3 on 11 Nov 2014 under KB2993958. http://support.microsoft.com/kb/2993958

MSXML 5 only affects those using Microsoft Office 2007 & does not show.

These are the only versions of MSXML Supported by Microsoft.

Have you got an issue with 3 or 6?

Are you by chance referring to MSXML 4? If so that version is OBSOLETE and has been since April 2014. It will NEVER be updated. Users who require it to run equally obsolete programmes do so at their own risk.



Its the Microsoft XML Core Services MSXML 4x one. Last I heard there was some dispute over it. I have two laptops one with Windows 7 and the other with Windows 8 that have both been sitting at 99% for the last couple of Windows Updates cycles. I thought it might have been resolved by now.
Was this reply relevant?
+0
-0
Maurice Joyce RE: 2 or more Windows Updates released and XML Core Service still not fixed
Handling Contributor 12th Dec, 2014 11:25
Score: 12287
Posts: 9,543
User Since: 4th Jan 2009
System Score: N/A
Location: UK
It is resolved. MSXML 4 is obsolete & Microsoft will not issue any more updates for it.

If you are running MSXML 4 version 4.30.2117.0 is was secure as at April 2014 when declared obsolete - whether that remains correct is anyone's guess.

If you are running any other version of MSXML 4 it is not only vulnerable but obsolete.



--
Maurice

Microsoft Surface 4 Intel i7 64Bit
Windows 10 Pro version 1709 (Creators Update) Build 16299.19
16 GB RAM
IE & Edge Only
Was this reply relevant?
+3
-0
jckinnick RE: 2 or more Windows Updates released and XML Core Service still not fixed
Member 13th Dec, 2014 02:05
Score: 6
Posts: 191
User Since: 21st May 2010
System Score: 100%
Location: US
on 12th Dec, 2014 11:25, Maurice Joyce wrote:
It is resolved. MSXML 4 is obsolete & Microsoft will not issue any more updates for it.

If you are running MSXML 4 version 4.30.2117.0 is was secure as at April 2014 when declared obsolete - whether that remains correct is anyone's guess.

If you are running any other version of MSXML 4 it is not only vulnerable but obsolete.



So how do I get to 100% without doing some complicated work around?
Was this reply relevant?
+0
-0
Maurice Joyce RE: 2 or more Windows Updates released and XML Core Service still not fixed
Handling Contributor 13th Dec, 2014 18:21
Score: 12287
Posts: 9,543
User Since: 4th Jan 2009
System Score: N/A
Location: UK
There is no work around as such. It is a straight forward matter of completing a Risk Assessment & then deciding the best way forward.

Do you know which old programme(s) you have installed on your PC's that required you or the old programme vendor to install MSXML 4?Once you know that & can make a judgement there are 4 courses of action to consider.
(In many instances I have found that users have purchased a new OS but have not upgraded their external hardware - a printer for example - that runs on EOL software).

1.If you have no idea what programme is using MSXML 4 you can rename the MSXML file with am extension of .OLD. This will cripple MSXML4 & any programme reliant on it - it will soon become obvious which programmes are using MSXML4 for a better Risk Assessment to be made.

2.The most secure way to eliminate the problem is to uninstall MSXML 4 & any programmes dependant on it.

3. You can do nothing. Adopting this posture will allow PSI to give you a true security score but will also nag you with the very misleading message that you can fix the problem. The PC will of course remain potentially vulnerable because it cannot be fixed.

4. There is an option to just create an Ignore Rule without any assessment. This will give you a 100% score but is A FALSE POSITIVE in that Secunia allows users to be insecure/vulnerable by using this method but rewards them with a 100% score.

To me, the advice Secunia give Corporate users is equally valid for home users who have not or cannot complete a full Risk Assessment.

https://1ncuig.bn1.livefilestore.com/y2pr1UtroJqM6...

If you want further help on setting up your chosen course of action I will be happy to help.

--
Maurice

Microsoft Surface 4 Intel i7 64Bit
Windows 10 Pro version 1709 (Creators Update) Build 16299.19
16 GB RAM
IE & Edge Only
Was this reply relevant?
+3
-0
jckinnick RE: 2 or more Windows Updates released and XML Core Service still not fixed
Member 14th Dec, 2014 01:19
Score: 6
Posts: 191
User Since: 21st May 2010
System Score: 100%
Location: US
on 13th Dec, 2014 18:21, Maurice Joyce wrote:
There is no work around as such. It is a straight forward matter of completing a Risk Assessment & then deciding the best way forward.

Do you know which old programme(s) you have installed on your PC's that required you or the old programme vendor to install MSXML 4?Once you know that & can make a judgement there are 4 courses of action to consider.
(In many instances I have found that users have purchased a new OS but have not upgraded their external hardware - a printer for example - that runs on EOL software).

1.If you have no idea what programme is using MSXML 4 you can rename the MSXML file with am extension of .OLD. This will cripple MSXML4 & any programme reliant on it - it will soon become obvious which programmes are using MSXML4 for a better Risk Assessment to be made.

2.The most secure way to eliminate the problem is to uninstall MSXML 4 & any programmes dependant on it.

3. You can do nothing. Adopting this posture will allow PSI to give you a true security score but will also nag you with the very misleading message that you can fix the problem. The PC will of course remain potentially vulnerable because it cannot be fixed.

4. There is an option to just create an Ignore Rule without any assessment. This will give you a 100% score but is A FALSE POSITIVE in that Secunia allows users to be insecure/vulnerable by using this method but rewards them with a 100% score.

To me, the advice Secunia give Corporate users is equally valid for home users who have not or cannot complete a full Risk Assessment.

https://1ncuig.bn1.livefilestore.com/y2pr1UtroJqM6...

If you want further help on setting up your chosen course of action I will be happy to help.



I have no clue what programs use it, should I just rename it old and find out?
Was this reply relevant?
+0
-0
Maurice Joyce RE: 2 or more Windows Updates released and XML Core Service still not fixed
Handling Contributor 14th Dec, 2014 10:25
Score: 12287
Posts: 9,543
User Since: 4th Jan 2009
System Score: N/A
Location: UK
That is what I would do but it really is your decision. If you want any help with the renaming I need to know the path of the file to be renamed.

--
Maurice

Microsoft Surface 4 Intel i7 64Bit
Windows 10 Pro version 1709 (Creators Update) Build 16299.19
16 GB RAM
IE & Edge Only
Was this reply relevant?
+0
-0

This thread has been marked as locked.