Advisories
Research
Forums
Create Profile
Our Commitment
Database
Search
Advisories by Product
Advisories by Vendor
Terminology
Report Vulnerability
Insecure Library Loading
Highly critical

Microsoft XML Core Services Integer Truncation and XSLT Parsing Vulnerabilities

-

Release Date:  2013-01-08    Last Update:  2013-01-09    Views:  22,331

Secunia Advisory SA51773

Where:

You need to log in to view this

Impact:

You need to log in to view this

Solution Status:

You need to log in to view this

Software:

You need to log in to view this

CVE Reference(s):

You need to log in to view this

Description


Two vulnerabilities have been reported in Microsoft XML Core Services, which can be exploited by malicious people to compromise a user's system


You need to log in to the Secunia Community to view the full description of this advisory

If you are not a member of the Secunia community, you can sign up here for free.

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: Microsoft XML Core Services Integer Truncation and XSLT Parsing Vulnerabilities

User Message
CSGalloway RE: Microsoft XML Core Services Integer Truncation and XSLT Parsing Vulnerabilities
Member 31st Jan, 2013 22:03
Score: 3
Posts: 22
User Since: 12th Sep 2008
System Score: 97%
Location: US
Last edited on 31st Jan, 2013 22:03
I have done windows update and it does not say I need tp update XML anything. Please adivse as I think this is a Secunia problem.
Was this reply relevant?
+0
-0
Maurice Joyce RE: Microsoft XML Core Services Integer Truncation and XSLT Parsing Vulnerabilities
Handling Contributor 31st Jan, 2013 22:37
Score: 11560
Posts: 8,884
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 31st Jan, 2013 23:12
Close inspection shows that the Advisory has a date stamp of 9 January.

As far as I can see having followed the disclosure trail it was fixed by Microsoft Update on the 8th January monthly update cycle. KB2758694 in your installed updates refers if using Windows 7.

EDIT:
The Microsoft Tech Bulletin is here that covers all the update KB's for various OS's.

http://technet.microsoft.com/en-us/security/bullet...



--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+2
-0
jgnetworksecurity RE: Microsoft XML Core Services Integer Truncation and XSLT Parsing Vulnerabilities
Member 15th Feb, 2013 03:45
Score: 0
Posts: 2
User Since: 11th Jun 2012
System Score: N/A
Location: US
Last edited on 15th Feb, 2013 03:45
I am having this same problem on win8pro, I have applied all windows updates and all of a sudden it is asking me to download msxml4 sp3 parser which is old file. It shows the offending file is in the C:Windows\SysWow64\msxml4.dll. I have already applied Januarys updates as well as Februarys updates. I want to report this to Secunia since I remember this false positive happening with XML before 6 months ago and about 2 years ago. I cannot check my other computers because this is only win8 pro machine and only one with PSI 3.

--
JGNetworkSecurity
Was this reply relevant?
+0
-0
Maurice Joyce RE: Microsoft XML Core Services Integer Truncation and XSLT Parsing Vulnerabilities
Handling Contributor 15th Feb, 2013 10:39
Score: 11560
Posts: 8,884
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Secunia are reporting correctly if you have not got MSXML 4.3.2117.0 installed. I have revised the post I wrote some time ago when this issue first appeared on how to update to that version.

MSXML ISSUES

The release note for MSXML 4 are here:
http://download.microsoft.com/download/A/2/D/A2D85...

Please note this SP was released before Windows 7 & 8 was produced therefore there is no mention of compatibility or support once installed - it works flawlessly with Windows 7 on both 32 & 64 Bit systems I have NOT tested it on my Windows 8 PC because I have no old legacy programmes that require it to be installed.

Firstly, it is important to note the VERSION NUMBER currently installed which PSI gives in the vulnerability report because there are three possible solutions.

Solution 1
If PSI gives a version number starting 4.2 or 4.1 that indicates that the very old MSXML 4 SP2 or even older SP1 is installed which must be MANUALLY upgraded to MSXML 4 SP3 as follows:

Click this link
http://www.microsoft.com/en-us/download/details.as...

Once open activate the clearly marked download link called MSXML.MSI - 2.3 MB.

Once installed run Windows Update - there are some additional patches for MSXML 4 SP3.

On completion PSI will show MSXML 4 as secure with version 4.30.2117.0. after a full PSI rescan


Solution 2
If PSI reveals the path to be 4.3 that almost certainly indicates that the latest Windows Update patch is not installed correctly. Run a Windows Update scan - if that reveals nothing try a manual update using this link:

http://www.microsoft.com/en-us/download/details.as...

Solution 3

If MSXML 4 SP3 BETA is installed ensure it is fully removed prior to using Solution 1. The Release Notes referred.

After any full PSI rescan the Scan Result Page should show this for MSXML:

https://akkkug.bn1.livefilestore.com/y1pA8VEBrQiDZ...

Revised 09:11 15/02/2013

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+3
-1
ParzivalRM RE: Microsoft XML Core Services Integer Truncation and XSLT Parsing Vulnerabilities
Member 10th Mar, 2013 07:20
Score: 13
Posts: 41
User Since: 15th May 2010
System Score: N/A
Location: AU
Last edited on 10th Mar, 2013 07:20
Thanks, Maurice, for this careful posting. A fortnight ago I unfortunately had to put my daughter's Toshiba Satellite A200 notebook back to factory settings, which meant Vista without any services packs!!! Together with exhaustive use of "Control Panel --> Windows Update" beforehand, in between, and afterwards, I installed Vista SP1 and Vista SP2 by downloading Microsoft's "5-language standalone" installers, . I thought that all was well until I installed Secunia, which reports that that my only security problem is
* Microsoft XML Core Servies (MSXML), Detected Version 4.20.9876.0

From your last posting above, the appropriate way to go.thus seems to be your "Solution 1" But when I click on the link that you give within "Solution 1", Microsoft tells me that the "System Requirements" for "MSXML 4.0 Service Pack 3 (Microsoft XML Core Services)" include Vista and Vista SP1, but makes no mention at all of "Vista SP2".

I now have Vista SP2 installed on this notebook --- at least that's what "Control Panel --> System" says is there --- so does that rule out your "Solution 1"?

(By the way, running Windows Update, rebooting, and rescanning with Secunia haven't changed anything.)
Was this reply relevant?
+0
-0
Maurice Joyce RE: Microsoft XML Core Services Integer Truncation and XSLT Parsing Vulnerabilities
Handling Contributor 10th Mar, 2013 09:35
Score: 11560
Posts: 8,884
User Since: 4th Jan 2009
System Score: N/A
Location: UK
No - Solution 1 should work given the MSXML version you currently have installed.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+2
-0
ParzivalRM RE: Microsoft XML Core Services Integer Truncation and XSLT Parsing Vulnerabilities
Member 14th Mar, 2013 08:36
Score: 13
Posts: 41
User Since: 15th May 2010
System Score: N/A
Location: AU
Last edited on 14th Mar, 2013 08:36
I finally stole some time on the said computer. I follows your "Solution 1", then I ran Windows update until it had no more updates, then I ran a Secunia scan, and I was rewarded with 100% score. Thanks very much for your help.
Was this reply relevant?
+0
-0
Maurice Joyce RE: Microsoft XML Core Services Integer Truncation and XSLT Parsing Vulnerabilities
Handling Contributor 14th Mar, 2013 09:47
Score: 11560
Posts: 8,884
User Since: 4th Jan 2009
System Score: N/A
Location: UK
@ParzivalRM

Pleased to see you are all fixed up.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
roncri RE: Microsoft XML Core Services Integer Truncation and XSLT Parsing Vulnerabilities
Member 27th Apr, 2013 01:38
Score: 0
Posts: 1
User Since: 27th Apr 2013
System Score: N/A
Location: US
Last edited on 27th Apr, 2013 01:38
Any idea why this should be happening with Windows 8 64 bit?
Was this reply relevant?
+0
-0
ramaccount RE: Microsoft XML Core Services Integer Truncation and XSLT Parsing Vulnerabilities
Member 27th Apr, 2013 03:55
Score: 0
Posts: 2
User Since: 27th Apr 2013
System Score: N/A
Location: US
Last edited on 27th Apr, 2013 03:55
I had the same problem as the user who posted originally, on my Windows 8 64 bit system.
I followed Maurice Joyce's instructions, found I had version 4.2, and applied Solution 1 which is to download an MSI and update manually.
Ran Windows update, it updated some MSXML file, and gave me an all clear.

Now PSI says I have MSXML versions 3, 3 (64 bit), 4, 4 (64 bit), 6 and 6 (64 bit)!
Trying to update through PSI sends me to the Windows Update panel, and that panel shows no updates to apply!

Help?
Was this reply relevant?
+0
-0
Maurice Joyce RE: Microsoft XML Core Services Integer Truncation and XSLT Parsing Vulnerabilities
Handling Contributor 27th Apr, 2013 07:37
Score: 11560
Posts: 8,884
User Since: 4th Jan 2009
System Score: N/A
Location: UK
You should have versions 3,4 & 6.

Try a reboot & then a full PSI scan - what result do you get then?

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+2
-0
ramaccount RE: Microsoft XML Core Services Integer Truncation and XSLT Parsing Vulnerabilities
Member 27th Apr, 2013 17:48
Score: 0
Posts: 2
User Since: 27th Apr 2013
System Score: N/A
Location: US
Last edited on 27th Apr, 2013 17:48
Maurice, it's all clear and I got to 100%!
Thanks for your help!
Was this reply relevant?
+0
-0
Maurice Joyce RE: Microsoft XML Core Services Integer Truncation and XSLT Parsing Vulnerabilities
Handling Contributor 4th May, 2013 17:11
Score: 11560
Posts: 8,884
User Since: 4th Jan 2009
System Score: N/A
Location: UK
@roncri

I have just noticed I missed your question. You have loaded a programme onto Windows 8 that is reliant on the old MSXML 4 to function.

There is no reason why MSXML 4 should not work & if it remains showing as vulnerable it should be updated as a matter of urgency.



--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+1
-0
pfvincent RE: Microsoft XML Core Services Integer Truncation and XSLT Parsing Vulnerabilities
Member 14th Jul, 2014 16:48
Score: 0
Posts: 7
User Since: 4th Oct 2008
System Score: N/A
Location: UK
Last edited on 14th Jul, 2014 17:11
I have just received an End-of-Life indication for Microsoft XML Core Services (MSXML) 4.x on my Windows 7 machines, referencing this advisory, and stating that the detected version is 4.30.2117.0.
However, this advisory states that this is the correct version!
I have just checked Microsoft Update, and there are no updates available.
Why is Secunia giving an End-of-Life indication, and how should I deal with it.

A week ago I had 100%, and the only changes I've made since have been last Tuesday's Microsoft updates.
Was this reply relevant?
+0
-0
rd52 RE: Microsoft XML Core Services Integer Truncation and XSLT Parsing Vulnerabilities
Member 14th Jul, 2014 17:25
Score: 5
Posts: 36
User Since: 4th Dec 2008
System Score: N/A
Location: US
(unknown source)
I have just received an End-of-Life indication for Microsoft XML Core Services (MSXML) 4.x on my Windows 7 machines, referencing this advisory, and stating that the detected version is 4.30.2117.0.
However, this advisory states that this is the correct version!
I have just checked Microsoft Update, and there are no updates available.
Why is Secunia giving an End-of-Life indication, and how should I deal with it.
A week ago I had 100%, and the only changes I've made since have been last Tuesday's Microsoft updates.


I am having the same exact problem on my Windows 7, 64. I also ran windows update and have no updates. What gives?
Was this reply relevant?
+1
-0
Mike406 RE: Microsoft XML Core Services Integer Truncation and XSLT Parsing Vulnerabilities
Member 15th Jul, 2014 21:03
Score: 1
Posts: 19
User Since: 27th Aug 2009
System Score: 100%
Location: US
(unknown source)
I am having the same exact problem on my Windows 7, 64. I also ran windows update and have no updates. What gives?


They probably have not updated the database for it yet. It happens.
Was this reply relevant?
+0
-0
J.Vemmer RE: Microsoft XML Core Services Integer Truncation and XSLT Parsing Vulnerabilities
Secunia Official 16th Jul, 2014 10:14
Score: 5
Posts: 20
User Since: 5th Oct 2011
System Score: N/A
Location: Copenhagen, DK
Hi,

Microsoft has announced that the widely used Microsoft XML Core Services (MSXML) 4.x has reached the end of its lifecycle. The announcement was made back in 2013 (http://support.microsoft.com/gp/msxmlannounce), stating that April 12th 2014 was the EOL date. This is further supported by the official Microsoft Lifecycle Policy found here: http://support.microsoft.com/lifecycle/search/defa...

As a result, all versions of Microsoft XML Core Services (MSXML) 4.x will correctly be flagged as EOL by the Secunia products, recommending an upgrade to Microsoft XML Core Services (MSXML) 6.x, as stated in the Microsoft announcement.

--
Kind regards,

Jais Vemmer
xSI Signatures Specialist
macko1944 RE: Microsoft XML Core Services Integer Truncation and XSLT Parsing Vulnerabilities
Member 17th Jul, 2014 16:02
Score: 0
Posts: 16
User Since: 20th Jul 2009
System Score: N/A
Location: CA
I seem to experience the same problem.All of a sudden Secunia shows EOL for MXML 4 that I had on my Win 7(32).I tried to download the files that applied to the 32 vrsion(two out of the four mentioned at the download page.The downloads were successful,YET SECUNIA STILL SHOWS ONLY THE 4 version and not the 6,even though I re-started my computer(2X actually).So I am ready to surrender,because I have no idea what else I can do.Can anyone help?Thank you.(July 17,2014)
Was this reply relevant?
+0
-0
owlyn RE: Microsoft XML Core Services Integer Truncation and XSLT Parsing Vulnerabilities
Member 17th Jul, 2014 20:50
Score: 0
Posts: 3
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
I am experiencing the same problem as everyone above. Windows 7 64 bit Professional. Tried auto and manual updates. Installed MSXML vers 6. Still get a PSI warning.
Was this reply relevant?
+0
-0
pfvincent RE: Microsoft XML Core Services Integer Truncation and XSLT Parsing Vulnerabilities
Member 18th Jul, 2014 00:42
Score: 0
Posts: 7
User Since: 4th Oct 2008
System Score: N/A
Location: UK
There is another thread on this subject in the PSI forum at http://secunia.com/community/forum/thread/show/150... which has more comments and advice from users.
Was this reply relevant?
+0
-0
macko1944 RE: Microsoft XML Core Services Integer Truncation and XSLT Parsing Vulnerabilities
Member 18th Jul, 2014 10:39
Score: 0
Posts: 16
User Since: 20th Jul 2009
System Score: N/A
Location: CA
Hi,I have (according to Secunia scan)the wanted 4.30.2117.0 on my computer(Win 7 Home 32 bit).Yet the scan still shows 99%,problem being the EOL for this program.I re-scanned and re started several times since I downloaded both msxml6.msi and msxml6_SDK.msi,the second only after the Secunia re-scan still showed 99%.BUT TO NO AVAIL.Since this issue causes so much controversy and seems far from being solved,is there a chance that we will get the 100% rating WITHOUT a solution to this???Or can one just mark it IGNORE and at that time the green dot will be back?Please pardon the simple wording-I am not computer savvy,only trying to get my computer right(according to Secunia ratings).Thank you!
Was this reply relevant?
+0
-0
PRSONO9 RE: Microsoft XML Core Services Integer Truncation and XSLT Parsing Vulnerabilities
Member 18th Jul, 2014 14:38
Score: 0
Posts: 18
User Since: 7th Jan 2012
System Score: N/A
Location: UK
I am totally bemused by all this. I am running Windows 8.1 64bit.
I received the MSXML update notification from Secunia. I clicked on update and when the browser opened it showed MSXML 6 - 4 files for downloading. I was confused which files to download. After reading all the threads on this subject I decided to click on ignore the update. When I did this, I did a scan and all was 100% I had a look at the installed programs in Secunia. There is no listing for MSXML 4 but there is for MSXML 6. When I open the Control Panel there is a listing for MSXML 4 SP3 Parser and MSXML 4 SP3 Parser kb2758694
Should I be leaving things the way they are?
Was this reply relevant?
+0
-0
Anthony Wells RE: Microsoft XML Core Services Integer Truncation and XSLT Parsing Vulnerabilities
Expert Contributor 18th Jul, 2014 22:42
Score: 2414
Posts: 3,310
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi ,

If it helps , I have replied with my non-teccy understanding of things MSXML 4.0 to PRSON09 and others here on this thread :-

http://secunia.com/community/forum/thread/show/150...

Take care

Anthony



--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
PRSONO9 RE: Microsoft XML Core Services Integer Truncation and XSLT Parsing Vulnerabilities
Member 18th Jul, 2014 23:46
Score: 0
Posts: 18
User Since: 7th Jan 2012
System Score: N/A
Location: UK
Yes and very thankful I am.
Was this reply relevant?
+0
-0
inahut RE: Microsoft XML Core Services Integer Truncation and XSLT Parsing Vulnerabilities
New Member 19th Jul, 2014 18:41
Score: 3
Posts: 12
User Since: 19th Jul 2014
System Score: N/A
Location: US
Yes this link is most helpful
I recommend one heed the advice of Maurice Joyce
Was this reply relevant?
+0
-0
inahut RE: Microsoft XML Core Services Integer Truncation and XSLT Parsing Vulnerabilities
New Member 19th Jul, 2014 18:48
Score: 3
Posts: 12
User Since: 19th Jul 2014
System Score: N/A
Location: US
(unknown source)
Hi,

Microsoft has announced that the widely used Microsoft XML Core Services (MSXML) 4.x has reached the end of its lifecycle. The announcement was made back in 2013 (http://support.microsoft.com/gp/msxmlannounce), stating that April 12th 2014 was the EOL date. This is further supported by the official Microsoft Lifecycle Policy found here: http://support.microsoft.com/lifecycle/search/defa...

As a result, all versions of Microsoft XML Core Services (MSXML) 4.x will correctly be flagged as EOL by the Secunia products, recommending an upgrade to Microsoft XML Core Services (MSXML) 6.x, as stated in the Microsoft announcement.


Please be aware that MS itself does not recommend expunging MSXML 4.x from your installation of Windows, only that the latest version, MSXML 6.x be installed, which Windows Update did for my computer back in April 2014; any deletion of previous versions of MSXML is not advised as long as one has the final versions of those previous iterations of MSXML; the differing versions are not incompatable. Therefore, the information provided here by Secunia is erroneous because it is not completely correct, insofar as it does not completely follow the information being provided for all to read by MS itself.
Was this reply relevant?
+2
-0

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability