Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: MSXML 4.0 Thread

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
M.Hansen MSXML 4.0 Thread
Secunia Official 16th Jul, 2014 10:24
Ranking: 188
Posts: 410
User Since: 26th Jan, 2009
System Score: N/A
Location: Copenhagen, DK
Hi Everyone,

It seems that the End-of-life state for MSXML 4.0 has caused a lot of confusion.

Microsoft has recently discontinued version 4 of MSXML and therefore it's recommended to remove it from your system if possible.

MSXML is usually uninstallable from the "Program and Features" menu in the Control Panel.
The entry is usually called "MSXML 4.0 SP3 Parser" or similar.
The MSXML might also be bundled with other program, right-click the MSXML entry in the Secunia PSI and select "Show Details" in order to locate the path of the files.

It's important to note that the other versions of MSXML can be installed at the same time, and installing a newer major version does not remove existing installations of MSXML.

The current supported versions of MSXML is: 3, 5 and 6.

ManFromOz RE: MSXML 4.0 Thread
Member 16th Jul, 2014 10:27
Score: 17
Posts: 101
User Since: 6th Jun 2012
System Score: 100%
Location: AU
So how would we find out what program/s may need it?
Was this reply relevant?
+0
-0
M.Hansen RE: MSXML 4.0 Thread
Secunia Official 16th Jul, 2014 10:28
Score: 188
Posts: 410
User Since: 26th Jan 2009
System Score: N/A
Location: Copenhagen, DK
Usually programs will throw an error if they miss the MSXL version they require.
In most cases MSXML 6 should work as a replacement for MSXML 4.
ManFromOz RE: MSXML 4.0 Thread
Member 16th Jul, 2014 10:41
Score: 17
Posts: 101
User Since: 6th Jun 2012
System Score: 100%
Location: AU
Last edited on 16th Jul, 2014 10:41
Oh so just remove it and wait for the error?! That sounds like GREAT advice!

Well that was a waste of time. I uninstalled it (2 versions) rescanned it PSI still shows it located @ C:\Windows\SysWOW64\
Was this reply relevant?
+4
-0
Maurice Joyce RE: MSXML 4.0 Thread
Handling Contributor 16th Jul, 2014 11:07
Score: 11744
Posts: 9,002
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 16th Jul, 2014 11:18
What EOL? Microsoft pointed me to here when I asked for clarification of their policy mainly that Mainstream Support ended on 12/4/2014 but Extended Support was under review.


https://1ncuig.bn1.livefilestore.com/y2pJOBy4YdfxX...

As far as I am concerned MSXML 4 version 4.30.2117.0 is alive and kicking.

Either way the advice being given by PSI is crass. Telling users that they have a programme that requires manually updating is totally misleading. MSXML version 4.30.2117.0 is managed by Microsoft visa Windows update & requires no assistance from Secunia.

MSXML 4 SP2 requires a manual update.

Secunia have muddied the waters - it is vital that those using MSXML 4 update to version 4.30.2117.0 ASAP.

Once that is achieved by all then further investigation will be required on the true status of MSXML4.

That clarification should come from MS not a third party vendor (unless that third party publish the actual correpondence with MS)

EDIT
I note that Jais Vemmer from Secunia has posted to other MSXML threads using the MS notifications I challenged. I think we require ACTUAL up to date data from MS - they are certainly telling me something different.




--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+8
-0
ManFromOz RE: MSXML 4.0 Thread
Member 16th Jul, 2014 11:31
Score: 17
Posts: 101
User Since: 6th Jun 2012
System Score: 100%
Location: AU
on 16th Jul, 2014 10:24, M.Hansen wrote:
Hi Everyone,

It seems that the End-of-life state for MSXML 4.0 has caused a lot of confusion.


The confusion I have is because the download's System Requirements Secunia recommend does not show it is compatible with newer versions of Windows, even though I tried to install it.

Thankfully I have a clean recent image of my systems to fall back on.
Was this reply relevant?
+0
-0
M.Hansen RE: MSXML 4.0 Thread
Secunia Official 16th Jul, 2014 11:49
Score: 188
Posts: 410
User Since: 26th Jan 2009
System Score: N/A
Location: Copenhagen, DK
Hi again,

@Maurice

According to this URL provided by Microsoft, MSXML 4.x is completely EOL:
http://support.microsoft.com/gp/msxmlannounce

NancyJ

RE: MSXML 4.0 Thread
[+]
This reply has been deleted
Maurice Joyce RE: MSXML 4.0 Thread
Handling Contributor 16th Jul, 2014 13:22
Score: 11744
Posts: 9,002
User Since: 4th Jan 2009
System Score: N/A
Location: UK
With respect that data was published in March 2013 & was one of the documents I referenced to MS.

https://1ncuig.bn1.livefilestore.com/y2pldD5Q6SyUC...

I was pointed to here for clarification:

https://1ncuig.bn1.livefilestore.com/y2pJOBy4YdfxX...

Users must choose what to believe - MS or Secunia. In my case MS but I have the advantage in that I do not have PSI installed on a permanent basis giving misleading information on what to do which is at the heart of the problem.

As can be seen elsewhere on the Forum PSI users have a varying degree of expertise in dealing with problems. Being presented with this has caused what Secunia describe as CONFUSION. Not surprised because SECUNIA created it.

https://1ncuig.bn1.livefilestore.com/y2pvrdo5FI823...

1. Why are you sending users to fetch MSXML 6 when they already have installed & secure?

2. What is important is that MSXML 4 SP2 is updated to the latest version if users want to retain it which is NOT made clear by Secunia.

3. If you check the Secunia Database for this product there is no indication of what is going on;

https://secunia.com/advisories/product/6472/?task=...

the product link within the Advisory takes you to MSXML 4 SP2 which is totally incorrect.

http://www.microsoft.com/en-us/download/details.as...

Mind Boggling!

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+15
-0
inahut RE: MSXML 4.0 Thread
Member 19th Jul, 2014 18:27
Score: 7
Posts: 12
User Since: 19th Jul 2014
System Score: N/A
Location: US
I have researched this problem on my own
I have examined the information MS provides about differing versions of MSXML
MS shows the differing versions are not directly incompatable
MS recommends installation of newest version
Newest version is 6.0
When one finds its exact location within the Windows directory one can see the versions listed in order, in my case as msxml3...4...6
The installation date I find for my msmxml6.dll and msxml6r.dll is 3-26-2014, as a result of MS update itself
I find the information provided by Maurice Joyce in this thread and in the thread titled "MSXML" to be more accurate than any information provided by Secunia voices
My research shows that Maurice Joyce in describing this problem in terms used by MS itself without leaving out any important variable or factor
In these two threads the voices representative of Secunia are not reproducing the information provided by MS in a completely accurate way.
I have followed the links and read the information to the best of my abiltiy
When I encountered Maurice Joyce's synthesis of the information it rang true and help me see the error being produced by Secunia PSI is incorrect, erroneous and at this point in time it is quite aggravating.
I have yet to uninstall Secunia but I must protest to Secunia that they need to stop this now.
Was this reply relevant?
+3
-0
famiy RE: MSXML 4.0 Thread
Member 19th Jul, 2014 18:58
Score: 0
Posts: 1
User Since: 19th Jul 2014
System Score: N/A
Location: DE
on 19th Jul, 2014 18:27, inahut wrote:
I have researched this problem on my own
I have examined the information MS provides about differing versions of MSXML
MS shows the differing versions are not directly incompatable
MS recommends installation of newest version
Newest version is 6.0
When one finds its exact location within the Windows directory one can see the versions listed in order, in my case as msxml3...4...6
The installation date I find for my msmxml6.dll and msxml6r.dll is 3-26-2014, as a result of MS update itself
I find the information provided by Maurice Joyce in this thread and in the thread titled "MSXML" to be more accurate than any information provided by Secunia voices
My research shows that Maurice Joyce in describing this problem in terms used by MS itself without leaving out any important variable or factor
In these two threads the voices representative of Secunia are not reproducing the information provided by MS in a completely accurate way.
I have followed the links and read the information to the best of my abiltiy
When I encountered Maurice Joyce's synthesis of the information it rang true and help me see the error being produced by Secunia PSI is incorrect, erroneous and at this point in time it is quite aggravating.
I have yet to uninstall Secunia but I must protest to Secunia that they need to stop this now.


Hi,

excuse me, everyone, but I'm not familiar with procedures like this. Secunia PSI told me today that I should update "Microsoft XML Core Services (MSXML) 4.x". When I click on it to update it sends me to a MS website where I can download "Microsoft Core XML Services (MSXML) 6.0 " in various versions.

When I right-clicked in Secunia and were looking for details, I found the directory where I can find the dll's.
I found:
msxml3.dll (26.03.2014, MSXML 3.0 SP11, Version: 8.110.7601.18431)
msxml3r.dd (26.03.2014, XML Resource, Version: 8.110.7601.18431)

msxml4.dll (08.11.2012, MSXML 4.0 SP3, Version: 4.30.2117.0)
msxml4r.dll (22.01.2009, MSXML 4.0 SP3 Resources, Version 4.30.2100.0)

msxml6.dll (26.03.2014, MSXML 6.0 SP3, Version 6.30.7601.18431)
msxml6r.dll (26.06.2014, XML Resources, Version 6.30.7601.18431)

I'm sorry, English is not my native language, so its not as easy to understand. In a post from Maurice Joyce I read, that " it is vital that those using MSXML 4 update to version 4.30.2117.0 ASAP". In another post he said he will try to find a way to help others. I'm sorry but I don't know what to do now, do I need to delete something, or do I ignore it.

I'm looking forward to hearing from you :)
Was this reply relevant?
+0
-0
inahut RE: MSXML 4.0 Thread
Member 19th Jul, 2014 19:58
Score: 7
Posts: 12
User Since: 19th Jul 2014
System Score: N/A
Location: US
on 19th Jul, 2014 18:58, famiy wrote:
Hi,

excuse me, everyone, but I'm not familiar with procedures like this. Secunia PSI told me today that I should update "Microsoft XML Core Services (MSXML) 4.x". When I click on it to update it sends me to a MS website where I can download "Microsoft Core XML Services (MSXML) 6.0 " in various versions.

When I right-clicked in Secunia and were looking for details, I found the directory where I can find the dll's.
I found:
msxml3.dll (26.03.2014, MSXML 3.0 SP11, Version: 8.110.7601.18431)
msxml3r.dd (26.03.2014, XML Resource, Version: 8.110.7601.18431)

msxml4.dll (08.11.2012, MSXML 4.0 SP3, Version: 4.30.2117.0)
msxml4r.dll (22.01.2009, MSXML 4.0 SP3 Resources, Version 4.30.2100.0)

msxml6.dll (26.03.2014, MSXML 6.0 SP3, Version 6.30.7601.18431)
msxml6r.dll (26.06.2014, XML Resources, Version 6.30.7601.18431)

I'm sorry, English is not my native language, so its not as easy to understand. In a post from Maurice Joyce I read, that " it is vital that those using MSXML 4 update to version 4.30.2117.0 ASAP". In another post he said he will try to find a way to help others. I'm sorry but I don't know what to do now, do I need to delete something, or do I ignore it.

I'm looking forward to hearing from you :)


If your directory shows the presence of MSXML.dll ... Version: 4.30.2117.0 then you look good; the presence of any earlier versions of MSXML are not, according to my best information, a problem; the fact that you have the latest version 6 shows that you are uptodate; if Secunia shows you to have an error simply because you have the two older versions of MSXML installed you do not have a problem, rather Secunia is wrong and if you follow the forums on Secunia about the past problems between Secunia and MSXML you will find their approach to it is NOT completely correct. To repeat, if you have the latest versions of any number MSXML, which you appear to have, then you are good, even if Secunia shows this to be, somehow, a problem.
Just to note: regarding all other programs that I use Secunia to help maintain such as Adobe and Oracle, Secunia does a very good job of alerting me when an update is due, which I always prefer to do manually rather than having the programs automatically update.

Also, as when TrueCrypt ended it support of its software encryption program Secunia showed this as a problem, as if one should delete the program's final version out of hand as intrinsically dangerous. A careful reading of security writers about the TrueCrypt event does not support that conclusion, so that in my opinion now the warning about TrueCrypt is misleading. --just as Secunia's approach to MSXML is misleading both in its System Score Status listing for MSXML and the forum posts by Secunia voices.

The main purpose of my use of Secunia is to maintain the newest secure versions of my programs, especially the ones that update on a frequent basis. Unless Secunia does something to upgrade its own research team it will probably continue to make mistakes. We all make mistakes don't we? Best recommendation here is to peruse the forums within Secunia for problems Secunia may itself have, and to protect your computer better by learning from our wiser members. If some recommendation by Secunia looks confusing then do some of your own research before going into your computer deleting stuff willy-nilly.

Was this reply relevant?
+1
-0
Gummiged RE: MSXML 4.0 Thread
Member 20th Jul, 2014 00:14
Score: 0
Posts: 1
User Since: 19th Jul 2014
System Score: N/A
Location: DK
I'm a bit confused though .. I'm going to keep version no. 4, but I would also like to download version no. 6.

But .. Whici of the four versions from MS website should I download?
http://www.microsoft.com/en-us/download/details.as...

If it makes any difference my computer runs Windows 8.1
Was this reply relevant?
+0
-0
steffens RE: MSXML 4.0 Thread
Member 20th Jul, 2014 00:58
Score: 48
Posts: 64
User Since: 25th Jul 2009
System Score: N/A
Location: US
NONE of them!

Look at the "System Requirements" info on the download page...
"Windows 2000 Service Pack 4, Windows Server 2003, Windows Server 2003 Service Pack 1, Windows XP Service Pack 1, Windows XP Service Pack 2"

Do you see ANYTHING relating to Win8? NO. So do NOT try to install ANY of the files from that page, else you risk messing up your system!

(Besides, if I understand correctly the many other postings on this topic, then MSXML6 IS already installed on your system, AND it is being kept up-to-date by MS Update, so there is NOTHING that you need to do at this point.)

HTH...
-- EstherD
Was this reply relevant?
+1
-0
steffens RE: MSXML 4.0 Thread
Member 20th Jul, 2014 01:11
Score: 48
Posts: 64
User Since: 25th Jul 2009
System Score: N/A
Location: US
In the unlikely chance that someone from Secunia is reading this forum...

Oh, Secunia! LOOK at the confusion you have caused by directing PSI users to a download page that they should NOT be visiting!

Such behavior may be "correct" in the sense that, yes, MSXML4 is technically EOL. However, it is hardly in keeping with the original philosophy of PSI3 to be the go-to utility for NON-TECHNICAL folks to use to help keep their systems secure!
Was this reply relevant?
+4
-0
ManFromOz RE: MSXML 4.0 Thread
Member 20th Jul, 2014 01:21
Score: 17
Posts: 101
User Since: 6th Jun 2012
System Score: 100%
Location: AU
Last edited on 20th Jul, 2014 01:27
Also - "The Secunia Personal Software Inspector (PSI) is a free computer security solution that identifies vulnerabilities in non-Microsoft (third-party) programs which can leave your PC open to attacks...."
Was this reply relevant?
+1
-0
steffens RE: MSXML 4.0 Thread
Member 20th Jul, 2014 02:25
Score: 48
Posts: 64
User Since: 25th Jul 2009
System Score: N/A
Location: US
Thanks. Now I finally understand what Maurice meant in a posting to another MSXML4 thread when he wrote:
"Secunia should stick to their Modus Operandi & NOT get involved in matters beyond their remit & scope."

In other words, Secunia should NOT be advising users concerning things which are [rightfully] under MS's purview to manage through Windows Update as MS sees fit so to do.
-- EstherD
Was this reply relevant?
+0
-0
Maurice Joyce RE: MSXML 4.0 Thread
Handling Contributor 20th Jul, 2014 21:36
Score: 11744
Posts: 9,002
User Since: 4th Jan 2009
System Score: N/A
Location: UK
This post was created at the request of @Theophil & @taffy078 on another thread. It is posted here so that Secunia will see it & hopefully respond in a more positive way to help users.

At the time of writing this there are 7 other threads running on the subject of Secunia changing their stance on the status of MSXML 4 SP3. This changed on 14th July 2014 despite Microsoft (MS) declaring it End of Life (EOL) in April.

Secunia used two MS publications to justify their action - what is in dispute is whether MS will keep MSXML4 secure in the future as indicated by another document ignored by Secunia or whether it is truly EOL & has been totally abandoned.

By reading all the Forum posts on this matter it is clear that many users are confused on what to do because of the INCOMPETENT way Secunia have handled their belated declaration on the status of MSXML & a major design flaw within PSI which can/does confuse the unweary.

1. The known PSI design fault results in it being unable to differentiate the status of any item scanned & report accurately.
It cannot advise a user if a file or programme is EOL (discontinued - no fix available), EOL (fixable - with a link to the fix), Vulnerable (fixable - with link to the fix) or Vulnerable (No patch available - with advise from Secunia on best practise to secure a PC)

Two illustrations of this flaw are:

a. I have MSXML4 installed. If I mouse over my red tray icon I am informed that "You have a program that requires a manual update".

That advice IS TOTAL RUBBISH - MSXML 4 cannot be updated by MSXML 6.

b. SA59285 states clearly that VLC 2.1.4.0 is vulnerable but a scan with that version installed will give a clean bill of health. This is because NO PATCH is available so Secunia pat you on the back with a 100% score & leave you vulnerable until the vendor issues a patch.

2. Secunia appear to have abandoned their stated commitment to help despite the fact that it is their badly researched & outdated advice & PSI flaws,regardless of whether MSXML is EOL or not,that has lead to so many members asking for clarification.
https://1ncuig.bn1.livefilestore.com/y2ppdOvtcWRlF...


MSXML - A FEW DETAILS THAT MAY HELP

1. MSXML 6 & MSXML 3 are pre installed on Windows Vista/7 SP1/Windows 8 & 8.1 and the latest versions are supported. MSXML 3 is represented by msxml3.dll which helps to parse XML documents in IE.

FOR THIS REASON BOTH @ddmarshall & myself HAVE BEEN TRYING TO EXPLAIN THAT CARRYING OUT THE REMEDY SUBMITTED BY SECUNIA IS A COMPLETE WASTE OF TIME and may (although no cases appear to have been registered)destabilise a working system if activated.

MSXML 3 & 6 are managed by Microsoft and my advice is to leave them well alone - the versions numbers for each OS are different so be careful when reading other posts & trying to compare against your set up - let MS manage them via Windows Update.

2. MSXML 4 is slightly different. It is an independent version which has led to some confusion in the past. The security upgrade from MSXML4 SP2 to MSXML3 SP3 WAS NOT/CANNOT be completed via Windows Update. It must be done manually.

MSXML 4 is NOT native to Windows 7 or 8/8.1. If it is currently installed then a very old programme has been installed that requires the legacy features of MSXML 4.

MSXML 4 SP3 version number 4.30.2117.0 is the latest secure version which, if installed,will be the same version number for all OS's. This version is (was) also managed by MS via Windows Update.

MSXML 5 has been mentioned - it is supported but only required by those with MS Office 2007 - again managed by MS & requires no user action.

WHAT TO DO

Run a PSI scan & confirm MSXML 3 & 6 are still showing as present,correct & update to date. If that is the case then you should NOT take any notice of the advice given by anything Secunia.

If MSXML 4 is also present it MUST show as 4.30.2117.0 to be SECURE.

If MSXML 4 is not at version 4.30.2117.0 it must be MANUALLY updated to that version.

If you believe that MSXML 4 is truly EOL & has been abandoned by MS then after a Risk Assessment the options are:

a. Create an ignore rule.
b. Uninstall it - this option will of course cripple the programme(s) dependant on it.

In my case I like & will continue to use the programme that requires MSXML 4 so have chosen to ignore the EOL warning.

Does this help with other questions that have been raised on the Forum?

So how would we find out what program/s may need it?

Have you tried looking at Control Panel>Program & Features - sort the installs by date - are there any old programmes 2004/05/06/07 that match the date that MSXML 4 was installed because they are most certainly the one's.

Does anyone know how one can uninstall MSXML 4 (leaving 3 and 6 intact)?

You need to look at all the Forum threads to find an answer that you feel comfortable with using. Just be a little careful if you intend following the advice from a user who completed the task via the Registry.

Should all of the following be left on my system?

MSXML 4.0 SP2 (KB927978) 4.20.9841.0
MSXML 4.0 SP2 (KB954430) 4.20.9870.0
MSXML 4.0 SP2 (KB973688) 4.20.9876.0
MSXML 4.0 SP3 Parser 4.30.2100.0
MSXML 4.0 SP3 Parser (KB2758694) 4.30.2117.0

Yes if you intend retaining MSXML4.

Finally can I take the opportunity to thank Secunia Support for giving me the opportunity to miss 4 hours of the Open Golf being shown on British TV to do their job. I was always taught that if you create a mess you cleaned it up yourself or paid to have it done correctly.

Seems nothing has changed since I sent my doodle to an alleged Signatures Specialist by email recently after another piece of odd behaviour on the subject of scan results.

https://1ncuig.bn1.livefilestore.com/y2p6A0Ha5y_Ra...

Things can only get better which includes updating your blog entry on MSXML4!!!!

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+38
-0
jckinnick RE: MSXML 4.0 Thread
Member 21st Jul, 2014 00:45
Score: 6
Posts: 143
User Since: 21st May 2010
System Score: N/A
Location: N/A
"If MSXML 4 is not at version 4.30.2117.0 it must be MANUALLY updated to that version."


So which of the 4 files do I use from the Microsoft website?
Was this reply relevant?
+1
-0
steffens RE: MSXML 4.0 Thread
Member 21st Jul, 2014 00:47
Score: 48
Posts: 64
User Since: 25th Jul 2009
System Score: N/A
Location: US
Oh, Maurice! It's another gem. +1 and thanks for all the work that you do. (I'd give you at least another +10 or so, if that were possible. ;)
-- EstherD
Was this reply relevant?
+0
-0
Maurice Joyce RE: MSXML 4.0 Thread
Handling Contributor 21st Jul, 2014 01:11
Score: 11744
Posts: 9,002
User Since: 4th Jan 2009
System Score: N/A
Location: UK
@jckinnick
There are 3 possible solutions - to give you precise details I need to know the path PSI gives you to the version you have installed now.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+4
-0
jckinnick RE: MSXML 4.0 Thread
Member 21st Jul, 2014 01:43
Score: 6
Posts: 143
User Since: 21st May 2010
System Score: N/A
Location: N/A
The path is C:\Windows\SysWOW64\msxmI4.dll
Was this reply relevant?
+1
-0
Maurice Joyce RE: MSXML 4.0 Thread
Handling Contributor 21st Jul, 2014 08:27
Score: 11744
Posts: 9,002
User Since: 4th Jan 2009
System Score: N/A
Location: UK
You have not given the current version number installed but this should update you.

The release note for MSXML 4 are here:
http://download.microsoft.com/download/A/2/D/A2D85...

This link gives the download required & instructions:

http://www.microsoft.com/en-us/download/details.as...

Once open select & activate the clearly marked download link called MSXML.MSI - 2.3 MB.

Once installed run & rerun Windows Update - there are some additional patches for MSXML 4 SP3.


On completion PSI will show MSXML 4 with version 4.30.2117.0 installed like this:

https://1ncuig.bn1.livefilestore.com/y2pk6dRL5p5_B...

That as far as you can go if you wish to retain MSXML 4.





--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+4
-0
PRSONO9 RE: MSXML 4.0 Thread
Member 21st Jul, 2014 10:45
Score: -1
Posts: 18
User Since: 7th Jan 2012
System Score: N/A
Location: UK
Unsubscribed
Was this reply relevant?
+0
-1
Maurice Joyce RE: MSXML 4.0 Thread
Handling Contributor 21st Jul, 2014 10:59
Score: 11744
Posts: 9,002
User Since: 4th Jan 2009
System Score: N/A
Location: UK
@PRSON09

A little unsure why you keep tagging on to posts without adding any meaningful comments.

This is how the system works.

A thread originator cannot unsubscribe because(s)he remains in charge until finally closed (locked).

A thread can be locked in three ways.

a. By the originator clicking the Accept button within the post that helped the most.

b. By the originator clearly indicating that the thread can be locked - either Secunia Support or I can then lock it.

c. It will auto lock 7 days after the last post is made.

Posters/helpers can opt out of any thread by clicking this option:

https://1ncuig.bn1.livefilestore.com/y2pRrKd3Qwkk_...

Revised 09:52 21/07/2014

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+4
-0
millwood RE: MSXML 4.0 Thread
Member 21st Jul, 2014 13:51
Score: 3
Posts: 26
User Since: 14th May 2008
System Score: N/A
Location: US
Be warned that quicken 2014 (and I assume earlier versions) depends on and installs mxsml4.
Was this reply relevant?
+1
-0

xaml

RE: MSXML 4.0 Thread
[+]
This reply has been minimised due to a negative Relevancy Score.
Anthony Wells RE: MSXML 4.0 Thread
Expert Contributor 21st Jul, 2014 17:03
Score: 2445
Posts: 3,334
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi Maurice ,

Just logged in to add 10 to your score on behalf of Esther :)))

On French TV , I was juggling (telecommande in one hand and (glass of) rosé in the other) between The Open , GP at Hockenheim and the TdF , so your MSXML "summary" could be described as a "labour of love" or "Love's Labour's Lost" unless Secunia come up with at minimum a case of Vintage and a nice Havana !!!

The way Support have left their PSI users in disarray in this and other documented cases is most alarming when considering the dangers of Internet infections which could be involved - speaking generally .

Salut .

Anthony





--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+2
-0
Maurice Joyce RE: MSXML 4.0 Thread
Handling Contributor 21st Jul, 2014 17:33
Score: 11744
Posts: 9,002
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Anthony,
Agreed - If I was a CSI customer treated like this I would certainly want my money back on the basis the set up is not fit for purpose. Indeed I would never buy it - 40 hour week support max - no weekend operation - a joke in the modern world.

Why not head over to CSIS & pick up a copy of Heimdal. Interested to see what you think. - you have my email address.

https://heimdalsecurity.com/en/products

Once installed give it a run - does the same job as PSI but quicker. As a bonus create a support ticket to ask for more info on it - you will find an old friend of ours at the other end. Support questions are properly controlled by ticket allocation to set up a one to one dialogue not like the total shambles of Secunia who have a MAJOR & well documented communication problem.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+1
-0
Maurice Joyce RE: MSXML 4.0 Thread
Handling Contributor 21st Jul, 2014 21:18
Score: 11744
Posts: 9,002
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 21st Jul, 2014 21:47
@xami
This thread is NOT really about updating MSXML 4 to a safe status. That should have been done years ago & I created a thread in August 2012 to help those who were struggling at the time.

https://secunia.com/community/forum/thread/show/13...

That advice remains extant & was recently updated to include Windows 8. @jckinnick asked for help on this thread & I gave him an abridged version of my original full bloodied solution.

I remain unsure of the point you are trying to make? Looks like a "Red Herring" to me.

Perhaps you did not read my solution correctly & have not understood my much larger post on MSXML which clearly states that once MSXML 4 SP3 is installed Windows Update manages all future updates. I have just physically retested the information I gave to @jckinnick. It remains valid proven by my test as follows:

1. Download MSXML 4 SP3 from here: http://www.microsoft.com/en-us/download/details.as...

2. Once open select & activate the clearly marked download link called MSXML.MSI - 2.3 MB.

That will install MSXML 4 SP3 to version 4.3.0.2100.0 onto the PC.

3. Run a full Windows Update manual scan - you will be offered KB2758694.

4. Install that update.

5. Reboot & then run a full PSI scan - it will reveal that version 4.3.2117.0 & will complain bitterly that it is EOL & users must update.

6. Control Panel> Programs & Features are populated as they should be with the correct version numbers.

To complete the test I used one of my test PC's - Windows 7 32 Bit.

To confirm - there is no requirement to manually update MSXML 4 SP3 - that was/is done by MS via Windows Update once version 4.3.2100.0 is properly installed manually

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+8
-1
steffens RE: MSXML 4.0 Thread
Member 21st Jul, 2014 23:15
Score: 48
Posts: 64
User Since: 25th Jul 2009
System Score: N/A
Location: US
Agree with Maurice... In my (limited) experience, it is a rare case indeed when one has to install ALL of the intermediate updates to get current. Typically only the most recent update needs to be installed, because it subsumes and supersedes all the older ones. (MS seems pretty consistent about that.) And, as Maurice says, one can generally install just the base package, and then let MS Update do the rest. (MS seems quite good at that, too, so why not let them do all the hard work of figuring out exactly what is needed?!)
-- EstherD
Was this reply relevant?
+1
-0
Theophil RE: MSXML 4.0 Thread
Member 22nd Jul, 2014 00:18
Score: 0
Posts: 10
User Since: 24th Apr 2011
System Score: N/A
Location: DE
@Maurice

"Why not head over to CSIS & pick up a copy of Heimdal."

Done

--
Windows 8.1 64 Bit; Windows 7 Home Premium 64 Bit; Windows Vista Business 32 Bit
Was this reply relevant?
+0
-0
taffy078 RE: MSXML 4.0 Thread
Contributor 22nd Jul, 2014 07:45
Score: 408
Posts: 1,335
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Do you have HP OfficeJet?

If so, here's a copy of the post by Erik M 21st July on this thread:
http://secunia.com/community/forum/thread/show/150...

"Hahaha I'm pretty sure that HP Officejet users will be very happy with the discontinuing of MSXML4 support. Especially when they try to perform a scan. This is of course only a problem when they remove msxml4.ddl .(all versions)"

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
jckinnick RE: MSXML 4.0 Thread
Member 22nd Jul, 2014 09:48
Score: 6
Posts: 143
User Since: 21st May 2010
System Score: N/A
Location: N/A
Im assuming I chose to modify when installing?
Was this reply relevant?
+0
-0
jckinnick RE: MSXML 4.0 Thread
Member 22nd Jul, 2014 09:52
Score: 6
Posts: 143
User Since: 21st May 2010
System Score: N/A
Location: N/A
I reran Windows Update and there weren't any new patch updates.
Was this reply relevant?
+0
-0
Maurice Joyce RE: MSXML 4.0 Thread
Handling Contributor 22nd Jul, 2014 12:42
Score: 11744
Posts: 9,002
User Since: 4th Jan 2009
System Score: N/A
Location: UK
@taffy078

Yes I do - Two in fact. Looks to me like another "Red Herring" which has nothing to do with this thread.

https://secunia.com/community/forum/thread/show/15...

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+5
-0
jckinnick RE: MSXML 4.0 Thread
Member 22nd Jul, 2014 19:40
Score: 6
Posts: 143
User Since: 21st May 2010
System Score: N/A
Location: N/A
No Windows updates after install and Secunia still is at 99%.
Was this reply relevant?
+0
-0
taffy078 RE: MSXML 4.0 Thread
Contributor 23rd Jul, 2014 08:56
Score: 408
Posts: 1,335
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Thank you Maurice.

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
Maurice Joyce RE: MSXML 4.0 Thread
Handling Contributor 23rd Jul, 2014 09:49
Score: 11744
Posts: 9,002
User Since: 4th Jan 2009
System Score: N/A
Location: UK
@jckinnick
This thread is not really about updating MSXML4 to its top level of security. I gave you the detail because once users understand that updating from SP1 or SP2 to SP3 must be completed manually the rest of the updates are via Windows Update.

Clearly you have an issue. If you intend retaining MSXML 4 I suggest you create you own thread outlining the current problem for example:

a. Was everything MSXML showing as secure up until 14th July?
b. What OS are you using?
c. What details is PSI giving you - the path & current version number installed. Example - https://1ncuig.bn1.livefilestore.com/y2pdpZyETXNZa...

d. What do you mean by this? Im assuming I chose to modify when installing?
e. What bit of this does not appear to work for you?

https://secunia.com/community/forum/thread/show/13...

Once we get more detail maybe I or someone else will be able to assist you better.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+2
-0
ManFromOz RE: MSXML 4.0 Thread
Member 23rd Jul, 2014 11:34
Score: 17
Posts: 101
User Since: 6th Jun 2012
System Score: 100%
Location: AU
Well, I got sick of seeing 99% System Score so I chose to ignore MSXML 4.0 SP3 and although if I open PSI 2 it now clearly shows a 100% System Score, the tray icon still shows 99%.

Secunia, if I choose to ignore this program you should too!
Was this reply relevant?
+1
-0
Midnight_Voice RE: MSXML 4.0 Thread
Member 23rd Jul, 2014 11:52
Score: 50
Posts: 89
User Since: 1st Oct 2010
System Score: 96%
Location: UK
Last edited on 23rd Jul, 2014 11:54
Long time since I was last here, though Secunia PSI continues to disappoint by taking an inexplicably long time to run, on my machines ranging from Windows XP through Vista, 7 and 8.1, and an even more inexplicably long time to complete any updates it attempts, often infinity, until I have to wrest the update from its hamfisted attempts to achieve these, and give the job to Windows Update, FileHippo, Software Informer or the like, which tend to have rather more luck with them. And do their diagnoses and updates orders of magnitude quicker.

But there you go. As per Maurice's truly excellent summary, PSI is telling us that MSXML 4.x wants updating - and it is telling us to update it, not that it is EoL - and when you obediently click to do this it goes off and gets MSXML 6.x, and updates or installs that instead. And then continues to tell you that MSXML 4.x still wants updating :-(

Like many such Microsoft products, 6 is not a superset of 4, and programs that want 4 may not look for, and/or may not be satisfied with, 6. So while having 6 may be a good thing, fetching and installing it is no fix for the woes with 4 that PSI detects, be they real or imagined.

FWIW, my 4 is completely up to date - 4.30.2117.0, the SP3 version - but PSI is still unhappy with it. But what does PSI want me to do? Even if there's a vuln in 4.30.2117.0, PSI is not supposed to flag this up unless and until there is a fixed version. Which there clearly isn't, here.

Besides 4, I have 3, and now(?) 6, both flagged 26/03/2014, so updated then, I guess, and PSI has nothing bad to say about them.

But 4? Update? Can't update this, nothing to update to
Delete it? Well, I have no idea if I need 4 or not, but I think I can spare 1.5Mb more readily than the time I might spend worrying about what might stop if I remove it. Or even worse, fixing things if something does stop.

Ignore then? I see no other option here than to put MSXML 4 on PSI's Ignore list.

That is, unless PSI would like to fix their mess here? Please?

--
A computer program can do pretty much anything the user doesn't know is impossible for it to do.

XP Home 32-bit - Compaq Presario V2000 Celeron 1.4GHz
Vista Ultimate 32-bit - Toshiba Equium A100 Centrino Duo 1.7GHz
Windows 7 Ultimate 64-bit - Dell Studio XPS 1645 Core i7-720 Quad 1.6-2.4GHz
(Also running XP Pro in Windows XP Mode 32-bit)
Windows 8.1 Home Premium 64-bit - Lenovo IdeaPad Z500 Core i5 2.6Ghz
Was this reply relevant?
+2
-0
ManFromOz RE: MSXML 4.0 Thread
Member 23rd Jul, 2014 12:12
Score: 17
Posts: 101
User Since: 6th Jun 2012
System Score: 100%
Location: AU
Last edited on 23rd Jul, 2014 12:15
on 23rd Jul, 2014 11:34, ManFromOz wrote:
Well, I got sick of seeing 99% System Score so I chose to ignore MSXML 4.0 SP3 and although if I open PSI 2 it now clearly shows a 100% System Score, the tray icon still shows 99%.

Secunia, if I choose to ignore this program you should too!


Thankfully a restart sorted my tray icon. It now shows CORRECTLY a System Score of 100%. ;)
Was this reply relevant?
+1
-0
JukEboXAuDiO RE: MSXML 4.0 Thread
Member 23rd Jul, 2014 14:34
Score: 0
Posts: 4
User Since: 4th Dec 2008
System Score: N/A
Location: US
Latest thread I read says that this version is secure. When I click on the upgrade button through PSI 3.0 it takes me to the same version for install. I am also on x64 bit which is installed at C;\Windows\SysWOW\msxml4.dll on Windows 8.1 x64. What am I missing?
Was this reply relevant?
+0
-0
krischan111 RE: MSXML 4.0 Thread
Member 23rd Jul, 2014 15:17
Score: 0
Posts: 2
User Since: 16th Apr 2014
System Score: N/A
Location: US
Here is my version how to deal with it (dirty hack):

I deinstalled every MSXML item in the add/remove programs from the control panel. I restarted Windows 7. Still there was the latest version of msxml4.dll/msxml4r.dll in the directory C;\Windows\SysWOW.

I put the 2 files into a password protected zip file (for backup purpose) and deleted them from the SysWOW directory. Until now, I didn't have problems with my applications.
Was this reply relevant?
+0
-0
JukEboXAuDiO RE: MSXML 4.0 Thread
Member 23rd Jul, 2014 16:00
Score: 0
Posts: 4
User Since: 4th Dec 2008
System Score: N/A
Location: US
So is this program insecure or what? Why is secunia marking it insecure if the newest version is clearly not.
Was this reply relevant?
+0
-0
millwood RE: MSXML 4.0 Thread
Member 23rd Jul, 2014 16:56
Score: 3
Posts: 26
User Since: 14th May 2008
System Score: N/A
Location: US
Last edited on 23rd Jul, 2014 16:56
Please read http://support.microsoft.com/gp/msxmlannounce

Note the date at bottom - July 20, 2014.

It says that msxml4 is end of life and will no longer get any updates as of April 12, 2014.

It does not say there is a known security exposure, but it does say that any future issues will not be dealt with. Is this true? Only time will tell.

Secunia PSI says msxml4 is end of life. It does NOT say it is insecure.

The problem is there is nothing the average user can do about it! Removing is requires actually removing files, as noted above. And if you are using a program like Quicken that needs it you can't remove it without breakage.

Worse, if you remove it then a program like Quicken will ask to be reinstalled, and when reinstalled will install a very old version of msxml4 - so old that Microsoft Update won't even update it to the latest version.

Bottom line - IMHO you should tell PSI to ignore the program and hope for the best. Alternately, you could hide the two files and then if something breaks unhide them to make sure you at least have the latest version.
Was this reply relevant?
+0
-0
Midnight_Voice RE: MSXML 4.0 Thread
Member 23rd Jul, 2014 17:50
Score: 50
Posts: 89
User Since: 1st Oct 2010
System Score: 96%
Location: UK
Last edited on 23rd Jul, 2014 17:54
on 23rd Jul, 2014 16:56, millwood wrote:
Please read http://support.microsoft.com/gp/msxmlannounce

Note the date at bottom - July 20, 2014.

It says that msxml4 is end of life and will no longer get any updates as of April 12, 2014.

It does not say there is a known security exposure, but it does say that any future issues will not be dealt with. Is this true? Only time will tell.

Secunia PSI says msxml4 is end of life. It does NOT say it is insecure.

.


So are we to take 'well prior to the formal end of support' to be minus three months, or did Microsoft possibly mean April 12th 2015?

And PSI isn't saying MSXML4 is End of Life. It lists it under 'Programs that need updating' and gives you a 'Click to update' prompt.

And even though I chose 'Ignore this program' and it went away immediately as a result, it came back when I reopened PSI since I had not done a subsequent Scan.

And now I have, and thus have a 100% score, I am still shown here as having only a 96% one. Why?

This is really all most unsatisfactory, on all sides.


--
A computer program can do pretty much anything the user doesn't know is impossible for it to do.

XP Home 32-bit - Compaq Presario V2000 Celeron 1.4GHz
Vista Ultimate 32-bit - Toshiba Equium A100 Centrino Duo 1.7GHz
Windows 7 Ultimate 64-bit - Dell Studio XPS 1645 Core i7-720 Quad 1.6-2.4GHz
(Also running XP Pro in Windows XP Mode 32-bit)
Windows 8.1 Home Premium 64-bit - Lenovo IdeaPad Z500 Core i5 2.6Ghz
Was this reply relevant?
+0
-0
Maurice Joyce RE: MSXML 4.0 Thread
Handling Contributor 23rd Jul, 2014 18:40
Score: 11744
Posts: 9,002
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Is it being suggested that different versions of PSI are giving out different information to users?

The status being shown by PSI 3.0.0.9016 is here:

https://1ncuig.bn1.livefilestore.com/y2pjMrpPKikDF...

1. It clearly states MSXML 4.30.2117.0 is End of Life - debatable but looks like Secunia on not going to join the debate.

2. MSXML 6 DOES NOT replace MSXML 4 for a user so the two item I have highlighted in red are totally misleading & should be ignored.

3. The last known secure version is highlighted in yellow. It is important to update any that are not or uninstall it but that is not being covered in this thread.



--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
taffy078 RE: MSXML 4.0 Thread
Contributor 23rd Jul, 2014 18:41
Score: 408
Posts: 1,335
User Since: 26th Feb 2009
System Score: 100%
Location: UK
@Midnight_Voice: And PSI isn't saying MSXML4 is End of Life. It lists it under 'Programs that need updating' and gives you a 'Click to update' prompt.

It shows End of Life on mine. What version of PSI are you using?

And now I have, and thus have a 100% score, I am still shown here as having only a 96% one. Looks like you've found another leak in the hull. I have the same problem but the other way around - I'm shown as 100% here but because of MSXML I'm actually 99%



--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
steffens RE: MSXML 4.0 Thread
Member 23rd Jul, 2014 19:32
Score: 48
Posts: 64
User Since: 25th Jul 2009
System Score: N/A
Location: US
on 23rd Jul, 2014 16:56, millwood wrote:
Please read http://support.microsoft.com/gp/msxmlannounce

Note the date at bottom - July 20, 2014.

It says that msxml4 is end of life and will no longer get any updates as of April 12, 2014.


on 23rd Jul, 2014 17:50, Midnight_Voice wrote:
So are we to take 'well prior to the formal end of support' to be minus three months, or did Microsoft possibly mean April 12th 2015?


I'm quite sure I visited said page a week or so ago, i.e. prior to 20 July, when I was doing my due diligence research on MSXML. As of then, said page had an earlier revision date, which to the best of my recollection was sometime in 2013, possibly March or April, but I it may have been December. (So much data; so few brain cells to store them in. ;)

So that page has been revised since. And it seems MS did in fact give at least a few months advance warning to at least some select few of its customers, possibly Secunia among them.

[ Aside to MS -- When you update your pages, WHY cannot you leave a history trace of the revisions, so we can see: 1) When the original was issued; 2) When the last revision occurred; 3) How many revisions have occurred in between, and when they occurred. (Would be even nicer if there were change bars or some such so we could see exactly what was changed and when, but I'm sure that asking FAR too much! ]
Was this reply relevant?
+0
-0
MStefani RE: MSXML 4.0 Thread
Member 23rd Jul, 2014 21:01
Score: 14
Posts: 16
User Since: 28th Jul 2010
System Score: N/A
Location: US
Last edited on 23rd Jul, 2014 21:04
Anybody...
Is there a statement from Secunia with any sort of explanation somewhere in here? There are multiple explanations from volunteers that seem to clearly explain the issue- if they are correct (and they certainly seem to be so, based on my research) then PSI has at least one fault to correct, if not a couple. EOL vs. active security issues, the continued presence of MSXML 4.0 in addition to 6.x and so on. I see the posts early in this thread but they do not address the issues excellently addressed by some of the senior and/or highly active forum participants.
Was this reply relevant?
+1
-0
jckinnick RE: MSXML 4.0 Thread
Member 23rd Jul, 2014 22:47
Score: 6
Posts: 143
User Since: 21st May 2010
System Score: N/A
Location: N/A
on 23rd Jul, 2014 09:49, Maurice Joyce wrote:
@jckinnick
This thread is not really about updating MSXML4 to its top level of security. I gave you the detail because once users understand that updating from SP1 or SP2 to SP3 must be completed manually the rest of the updates are via Windows Update.

Clearly you have an issue. If you intend retaining MSXML 4 I suggest you create you own thread outlining the current problem for example:

a. Was everything MSXML showing as secure up until 14th July?
b. What OS are you using?
c. What details is PSI giving you - the path & current version number installed. Example - https://1ncuig.bn1.livefilestore.com/y2pdpZyETXNZa...

d. What do you mean by this? Im assuming I chose to modify when installing?
e. What bit of this does not appear to work for you?

https://secunia.com/community/forum/thread/show/13...

Once we get more detail maybe I or someone else will be able to assist you better.



When I turned my computer off it started updating.
Was this reply relevant?
+0
-0
steffens RE: MSXML 4.0 Thread
Member 23rd Jul, 2014 23:52
Score: 48
Posts: 64
User Since: 25th Jul 2009
System Score: N/A
Location: US
Last edited on 23rd Jul, 2014 23:54
These days, I don't very often run my legacy XP Pro SP3 laptop. Today was one of those days. ;)

So while I was in there doing other things, I decided to see what PSI2 was doing with MSXML4.

Yup, it still reports EOL, even tho I have the latest version installed.

Then it points me to MS Update, which seems correct on the face of it.

And if I hover my mouse pointer over the MS Update link, a tooltip pops up that says:
"This program is usually automatically updated using MS Update.
You can click this link to open the MS Update interface and manually request the updates are installed now."
(Sorry... Unlike Maurice and a few others, I don't have any convenient place to stash a screenshot, so a transcription will have to suffice.)

All's well so far. And in fact I'm thinking at this point that Secunia must have retained their EOL designation for MSXML4, but recently (and silently) FIXED their bogus update advice.

Nope.

Now the fun begins. If I click said link, I do NOT go to MS Update anything. INSTEAD, the MSXML6 download page dating from 2006 (!) opens in IE.

WRONG! WRONG!! WRONG!!!

Secunia, really! Whatever else you do (or don't do), YOU REALLY NEED TO FIX THAT BOGUS LINK ASAP! It's misleading many of the non-techies who rely on PSI, and driving all of us techies stark-staring MAD!

It's got to be a SMALL job. Keep the EOL, but fix the bloody LINK. PLEASE?! TIA...
-- EstherD
Was this reply relevant?
+0
-0
steffens RE: MSXML 4.0 Thread
Member 23rd Jul, 2014 23:58
Score: 48
Posts: 64
User Since: 25th Jul 2009
System Score: N/A
Location: US
Has anyone (besides me ;) considered the possibility that all of the first-string Secunia staff have gone off on holiday, leaving the third- and fourth-stringers to mind the shop?!

In the USofA we have a saying that might be apropos: "Summer help... And some're not."
Was this reply relevant?
+2
-0
wr RE: MSXML 4.0 Thread
Contributor 24th Jul, 2014 00:24
Score: 308
Posts: 736
User Since: 30th Mar 2008
System Score: 100%
Location: US
^ +1 Me likey summer--some are not lol

--
HP Pavilion Slimline s3020n
Windows Vista Home Premium SP2 32 bit
AMD 64 Athlon X2
Firefox 24.4.0 ESR
The weakest link of a computer system is always sitting in front of the monitor.
Was this reply relevant?
+0
-0
olynt RE: MSXML 4.0 Thread
Member 24th Jul, 2014 02:39
Score: 0
Posts: 1
User Since: 24th Jul 2014
System Score: N/A
Location: DE
Dear SECUNIA-Community!

As introduction I have to say, that english is not my native language. So please excuse me, if I may sound kind of weird…!

I’ve been having the same problem, as prementioned (in several threads) here before…

My allegedly “problem” occurred on July 14th… but I didn’t find any time to care about it yet, until now…

I have to say: “THANX A LOT”, to Maurice Joyce!!!

It took me about 3 hours, to find helpfully informations! And I found them here!

I’m using the free version of PSI 2.0 (because I wanted to be able, to choose the installation-path).

So:

“Don't look a gift horse in the mouth!”
(…hmm… the rhyme is missing…)

…also nochmal auf deutsch:
“Einem geschenkten Gaul, schaut man nicht ins Maul“

I would appreciate it, if some users would “wash their fingers”, before they start to type!!!

Thanx again!

Kind regards

olynt
Was this reply relevant?
+0
-0
jckinnick RE: MSXML 4.0 Thread
Member 24th Jul, 2014 04:10
Score: 6
Posts: 143
User Since: 21st May 2010
System Score: N/A
Location: N/A
on 21st Jul, 2014 08:27, Maurice Joyce wrote:
You have not given the current version number installed but this should update you.

The release note for MSXML 4 are here:
http://download.microsoft.com/download/A/2/D/A2D85...

This link gives the download required & instructions:

http://www.microsoft.com/en-us/download/details.as...

Once open select & activate the clearly marked download link called MSXML.MSI - 2.3 MB.

Once installed run & rerun Windows Update - there are some additional patches for MSXML 4 SP3.


On completion PSI will show MSXML 4 with version 4.30.2117.0 installed like this:

https://1ncuig.bn1.livefilestore.com/y2pk6dRL5p5_B...

That as far as you can go if you wish to retain MSXML 4.



The version Secunia is showing is 43021170
Was this reply relevant?
+0
-0
steffens RE: MSXML 4.0 Thread
Member 24th Jul, 2014 04:37
Score: 48
Posts: 64
User Since: 25th Jul 2009
System Score: N/A
Location: US
on 24th Jul, 2014 04:10, jckinnick wrote:
The version Secunia is showing is 43021170


Then you're DONE with MSXML4, at least for the moment. Next... ;)
Was this reply relevant?
+0
-0
steffens RE: MSXML 4.0 Thread
Member 24th Jul, 2014 05:14
Score: 48
Posts: 64
User Since: 25th Jul 2009
System Score: N/A
Location: US
@olynt

Mostly I agree with you. However, Secunia has always used PSI as a gateway to the harder drugs... Uhhhh... strike that! I mean paid commercial software, both for ourselves, and for others to whom we might make recommendations in the course of our work. And that still seems to be true (if not more so) given what Marice posted recently in another thread about the PSI download page pimping for Google+ hookups.
https://secunia.com/community/forum/thread/show/15...

Furthermore, by giving PSI away for free, Secunia is reaping the benefit -- also free -- of thousands of eyes reading and researching security issues, debugging their software for free, and providing free user support, too. (You know who I mean! ;) Were it not for all that free labor, Secunia would have to hire more staff, and whatever profits they're making on their commercial offerings would plummet.

I've also always suspected that Secunia had hoped PSI3 would someday become a paid-for product catering to the vast unwashed sea of non-technical users once the initial kinks were straightened out. Again, by (exploiting?) the tireless (and free!) efforts of the user community here on this forum to do Secunia's dirty work.... Uhhh, I mean debugging.... for them.

I think Secunia chickened out on that plan once they realized exactly how hard it was to make automated updating work for unsophisticated users. Now they're stuck with a product that clearly needs additional work to "get it right", but which generates no revenue directly. Not what the bean counters want in this economy.

Hence, PSI languishes: too valuable to kill outright, but too expensive and not profitable enough to justify the expenditure necessary to rework it.

In closing, I'll take the liberty of stretching your metaphor way beyond the breaking point...
Secunia has indeed given us a GIFT HORSE,
but we are using it to PULL THEIR CART,
so they should PAY ATTENTION TO US when we tell them
that their horse has DRAGGED US INTO THE WEEDS,
or FALLEN INTO A DITCH and it cannot get up!

My $0.02...
-- EstherD
Was this reply relevant?
+3
-0
steffens RE: MSXML 4.0 Thread
Member 24th Jul, 2014 07:07
Score: 48
Posts: 64
User Since: 25th Jul 2009
System Score: N/A
Location: US
Apologies for posting again so soon, but this might be relevant: If you want some insight into why Secunia is taking such a hard line on MSXML4, perhaps you need look no farther than this article...

Report: Old bugs in Microsoft XML still haunt users, program 'most exposed'
Danielle Walker, Reporter, SC Magazine, July 18, 2014

Excerpt:
... Last week, vulnerability management firm Secunia released its Q2 2014 stats on vulnerable software, which it determined using its security scanner PSI. In the U.S., Microsoft XML Core Services 4 was said to pose the biggest risk to PC users, due to its market share and number of users running unpatched software. ...

Read the rest yourself. Download the Secunia report (PDF). See what you think...
http://www.scmagazine.com/report-old-bugs-in-micro...

Left unstated in the article is the rather-obvious reason why MSXML4 tops the list of unpatched software, namely the arcane procedure that MS requires to bring it up-to-date.

Furthermore, add another item to my list of freebees that Secunia gets from us PSI users: the raw data they need for publicity and marketing purposes!
Was this reply relevant?
+0
-0
taffy078 RE: MSXML 4.0 Thread
Contributor 24th Jul, 2014 11:05
Score: 408
Posts: 1,335
User Since: 26th Feb 2009
System Score: 100%
Location: UK
A friend of mine (to whom I recommended PSI a while ago but she ignored the advice) has just asked me for advice on a problem with MSXML. It's this one.

She sent me this link http://forums.moneysavingexpert.com/showthread.php...

Aren't I glad that we have Maurice advising us rather than some of the people in the thread!!



--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
Midnight_Voice RE: MSXML 4.0 Thread
Member 25th Jul, 2014 17:32
Score: 50
Posts: 89
User Since: 1st Oct 2010
System Score: 96%
Location: UK
Last edited on 25th Jul, 2014 17:43
on 23rd Jul, 2014 18:40, Maurice Joyce wrote:
Is it being suggested that different versions of PSI are giving out different information to users?

The status being shown by PSI 3.0.0.9016 is here:

https://1ncuig.bn1.livefilestore.com/y2pjMrpPKikDF...

1. It clearly states MSXML 4.30.2117.0 is End of Life - debatable but looks like Secunia on not going to join the debate.

2. MSXML 6 DOES NOT replace MSXML 4 for a user so the two item I have highlighted in red are totally misleading & should be ignored.

3. The last known secure version is highlighted in yellow. It is important to update any that are not or uninstall it but that is not being covered in this thread.


1. My mistake, sort of. I'm using 3.0.0.9016 (in answer to taffy078 asking), but I was looking at the icon view, which does not say anything about EoL. Or maybe we should regard that omission as Secunia's mistake?

2. Yes. It should not be offering 6 as a replacement for 4, any more than Net 4.5 replaces Net 2.0.

3. Yes


--
A computer program can do pretty much anything the user doesn't know is impossible for it to do.

XP Home 32-bit - Compaq Presario V2000 Celeron 1.4GHz
Vista Ultimate 32-bit - Toshiba Equium A100 Centrino Duo 1.7GHz
Windows 7 Ultimate 64-bit - Dell Studio XPS 1645 Core i7-720 Quad 1.6-2.4GHz
(Also running XP Pro in Windows XP Mode 32-bit)
Windows 8.1 Home Premium 64-bit - Lenovo IdeaPad Z500 Core i5 2.6Ghz
Was this reply relevant?
+0
-0
Midnight_Voice RE: MSXML 4.0 Thread
Member 25th Jul, 2014 17:55
Score: 50
Posts: 89
User Since: 1st Oct 2010
System Score: 96%
Location: UK
on 24th Jul, 2014 07:07, steffens wrote:
Report: Old bugs in Microsoft XML still haunt users, program 'most exposed'
Danielle Walker, Reporter, SC Magazine, July 18, 2014

Excerpt:
... Last week, vulnerability management firm Secunia released its Q2 2014 stats on vulnerable software, which it determined using its security scanner PSI. In the U.S., Microsoft XML Core Services 4 was said to pose the biggest risk to PC users, due to its market share and number of users running unpatched software. ...

Read the rest yourself. Download the Secunia report (PDF). See what you think...
http://www.scmagazine.com/report-old-bugs-in-micro...

Left unstated in the article is the rather-obvious reason why MSXML4 tops the list of unpatched software, namely the arcane procedure that MS requires to bring it up-to-date.



As far as I can see from this article, Secunia were concerned about the users who were running old versions of MSXML 4.0, and not about those users running the latest version of it.

Can anybody tell me why Secunia regards EoL programs for which there are no replacements, but which have no reported insecurities, as insecure? They might as well regard every program, EoL or not, as insecure.

(In fact, they probably do, on the Michael Buble principle of 'I Just Haven't Met You Yet', but they don't rub our faces in those, as it would be pointless).


--
A computer program can do pretty much anything the user doesn't know is impossible for it to do.

XP Home 32-bit - Compaq Presario V2000 Celeron 1.4GHz
Vista Ultimate 32-bit - Toshiba Equium A100 Centrino Duo 1.7GHz
Windows 7 Ultimate 64-bit - Dell Studio XPS 1645 Core i7-720 Quad 1.6-2.4GHz
(Also running XP Pro in Windows XP Mode 32-bit)
Windows 8.1 Home Premium 64-bit - Lenovo IdeaPad Z500 Core i5 2.6Ghz
Was this reply relevant?
+0
-0
Anthony Wells RE: MSXML 4.0 Thread
Expert Contributor 25th Jul, 2014 18:52
Score: 2445
Posts: 3,334
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 25th Jul, 2014 19:15
Hello ,

I find that it is easy to allow my/our prejudices and pre judgments to colour my/our objective analysis of perceived data : eg : why would Secunia promote Google + ?? Probably because Facebook and Twitter don't/won't pay for promotion but G + will ?? Business is business :(( ?? IT security is important to all kinds of users :)) ?? Who knows !!

However , if you consider the following you can let your colourful imagination(s) run riot :-

The Company->About link at the bottom of this page takes you here :-

https://secunia.com/company/?

and if you scroll down and follow up Jesper Johansen (CEO of Secunia and partner in DKA Capital) you will find (hopefully , or take my word for it) that DKA II took Secunia into their portfolio in October 2010 and DKA Capital took up 75% of DKA II in 2011 .

EDIT: Sorry , forgot this link :-

http://secunia.com/company/news/the-leading-privat...
If you look here :-

https://secunia.com/products/consumer/PSI/sys_req/

you will see the PSI changelog and development timeline and then ask , maybe :)) ;-

1)Was the Forum input into the PSI version 2.x (2010/2011) more effective/better handled/reported than the input into 3.x (2011+)??

2)When did the renowned poor SecuniaSupport response timing become very poor and then non-existent ??

3)Why did Secunia allow full release of 3.x -in principle a worthy product - when it was obviously still a Beta (probably an Alpha) and is still (??) unfit for new users , other than the small business model .

4)etc., etc.

Have fun and take care

Anthony


--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+4
-0
steffens RE: MSXML 4.0 Thread
Member 25th Jul, 2014 21:03
Score: 48
Posts: 64
User Since: 25th Jul 2009
System Score: N/A
Location: US
on 25th Jul, 2014 17:55, Midnight_Voice wrote:
As far as I can see from this article, Secunia were concerned about the users who were running old versions of MSXML 4.0, and not about those users running the latest version of it.


Let's assume that's true -- and I think it is, at least in part.

Imagine that you are a security company (like Secunia). Imagine further that you already have a tool (like PSI) that you think could be helpful to those users who are running obsolete (and vulnerable!) versions of MSXML4. Finally, imagine that you have extensive data on the insecure state of most MSXML4 installations, that you are really concerned, and that you want to do something.

Now ask yourself: Which of the following is the more appropriate response?

1) Figure out a way to use your tool to alert those users who still have vulnerable MSXML4 installations, and (if possible) to help them get their MSXML4 installations into a current (updated) state, perhaps by replacing the arcane procedure that MS requires with something simpler.

2) Use your tool to alert the users who already have current MSXML4 installations, and insisting that they must upgrade from MSXML4 to MSXML6 in order to be "really secure", and then directing them to a page full of obsolete MSXML6 downloads that will (supposedly) help them perform that technically-impossible task.

Now... Ask yourself which one Secunia has done.
Was this reply relevant?
+4
-0
Midnight_Voice RE: MSXML 4.0 Thread
Member 26th Jul, 2014 11:24
Score: 50
Posts: 89
User Since: 1st Oct 2010
System Score: 96%
Location: UK
@steffens

I probably should have said, more exactly 'The article concerned itself with......'

Which leads to two questions that complement yours:-

(i) If a reader of that article at the time, with a vulnerable copy of MSXML 4.0 had installed PSI 3 and run it, would it have given him an update link for MSXML 4.0 that took him to where he could easily update to the latest copy, or perhaps even have done the update for him?

and (the biggie)

(ii) If a reader of that article now, with a vulnerable copy of MSXML 4.0 installs PSI 3 and runs it, would it give him an update link for MSXML 4.0 that takes him to where he can easily update to the latest copy, or perhaps even do the update for him?

Even if after that, it still does the EoL thing we see? Or will someone with a vulnerable MSXML 4.0 still be offered only a link to 6, and be left with that vulnerable 4 still live on their machine?

--
A computer program can do pretty much anything the user doesn't know is impossible for it to do.

XP Home 32-bit - Compaq Presario V2000 Celeron 1.4GHz
Vista Ultimate 32-bit - Toshiba Equium A100 Centrino Duo 1.7GHz
Windows 7 Ultimate 64-bit - Dell Studio XPS 1645 Core i7-720 Quad 1.6-2.4GHz
(Also running XP Pro in Windows XP Mode 32-bit)
Windows 8.1 Home Premium 64-bit - Lenovo IdeaPad Z500 Core i5 2.6Ghz
Was this reply relevant?
+0
-0
M.Kristensen RE: MSXML 4.0 Thread
Secunia Official 28th Jul, 2014 08:36
Score: 0
Posts: 1
User Since: 10th Jul 2013
System Score: N/A
Location: Copenhagen, DK
HI All,

Microsoft has announced MSXML 4 ( Microsoft XML Core Services) as EOL (End Of Life) and recommends MSXML 6.0 as the upgrade path - https://support.microsoft.com/gp/msxmlannounce

Being EOL, MSXML 4 will no longer receive security updates from Microsoft and is therefore a possible security threat. Thus, Secunia cannot list any versions of MSXML 4 as secure versions.

Updating to MSXML 6.0 does not uninstall MSXML 4, therefore you have to remove it manually.
Right-click the MSXML 4 entry in the Secunia PSI and select "Show Details" in order to locate the path of the files.

Deleting the files can cause some programs to stop working properly if they depend on MSXML 4, so only do so at your own risk.

Choosing to let the Secunia PSI ignore the MSXLM 4 warning leaves you at a possible security threat and is not recommended.
taffy078 RE: MSXML 4.0 Thread
Contributor 28th Jul, 2014 09:15
Score: 408
Posts: 1,335
User Since: 26th Feb 2009
System Score: 100%
Location: UK
thank you for this but I'm still confused. Probably Microsoft's fault.
My immediate reactions:
(1) The link says Microsoft "is announcing . . . today" (July 20th) then says it will coninue to support MSMXL 4.0 . . until April 12th 2014"!!
(2) There's no link to v6 so I googled. Not sure if you'll be able to see the page here http://nortonsafe.search.ask.com/web?q=msmxl%20v6&...

but if you can't, let me say that there is a list of links back to 2006 and versions ranging from v6.0 to v6.10.

So I next went to Microsoft's Fix-it site http://support.microsoft.com/fixit/ - another chocolate teapot.

Finally I went to http://support.microsoft.com/?ln=en-gb. No results.
Microsoft's site suggested a link to msxml v6 which I clicked on and then it said "No search results". How the *!%^** do I install it?

(3) You advise me to uninstal v4 to prevent future security threats but then you say I will do so at my own risk because removing it "can cause some programs to stop working properly."

I appreciate that you are not Microsoft but haven't you got any clout to suggest to them that they must come up with a clearer fix.
Imagine a car manufacturer telling users that a fault could result in the brakes failing if they turn to the right so 'only turn to the right at your own risk'.

This really is complete nonsense as far as I'm concerned. I await the views of those here who know what they're talking about. Bah humbug - in Victor Meldrew mode now.

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
taffy078 RE: MSXML 4.0 Thread
Contributor 28th Jul, 2014 09:24
Score: 408
Posts: 1,335
User Since: 26th Feb 2009
System Score: 100%
Location: UK
and to make matters worse, I now find that I already have MSXML v6:

Microsoft XML Core Services (MSXML) v6.30.7601.18431 and
Microsoft XML Core Services (MSXML) v6.30.7601.18431 (64 bit).

I also have two similarly described v3.x, but shown as 8(not3).110.7601.18431. I still don't understand why v4 is EoL but the earlier version 3 isn't.

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
Maurice Joyce RE: MSXML 4.0 Thread
Handling Contributor 28th Jul, 2014 09:48
Score: 11744
Posts: 9,002
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 28th Jul, 2014 09:50
This has got NOTHING to do with MICROSOFT. MICROSOFT bashing is NOT THE ANSWER.

The difference between MSXML 3,4 5 & 6 are explained in this thread.

MSXML 3 & 6 are required & preinstalled by MS in Vista, Windows 7 & 8 & still supported.

MSXML 5 is for MS Office 2007 users only.

MSXML4 is standalone & is EOL/DISCONTINUED/DEAD/UNSUPPORTED/call it what you like just like Windows XP.

The problem is the ADVICE SECUNIA are giving users.

It is INCORRECT as is the INFORMATION that PSI gives due to POOR design. They still do not get it - if they want to be the mouthpiece for MS they must do their homework & inform users of the correct cause of action which IS NOT to update to MSXML6 which is ALREADY INSTALLED.



--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+4
-0
taffy078 RE: MSXML 4.0 Thread
Contributor 28th Jul, 2014 10:08
Score: 408
Posts: 1,335
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Last edited on 28th Jul, 2014 10:09
on 28th Jul, 2014 09:48, Maurice Joyce wrote:
This has got NOTHING to do with MICROSOFT. MICROSOFT bashing is NOT THE ANSWER.. . .

The difference between MSXML 3,4 5 & 6 are explained in this thread . . . .

The problem is the ADVICE SECUNIA are giving users.. . .



Thank you for explaining what the various versions do, Maurice.

As you know, I'm spectacularly unqualified to comment on all this technical trampolining. My comment "Probably Microsoft's fault" was because they announced this as EoL but they 'will continue support' until a date that was three months' earlier! Unprofessional.

And nowhere on their site could I find how to download/install v6. Unhelpful.

But for Secunia to tell me that I 'must remove v4 but if I do . . . . it's at my own risk because some programs might rely on it' is inadequate. Shouldn't they at least give us a clue how we can check?

May I ask a technical question: Would such programs have v4 installed within them or do they search for it elsewhere on my PC every time I start them?

Edit: Typo

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
Maurice Joyce RE: MSXML 4.0 Thread
Handling Contributor 28th Jul, 2014 10:21
Score: 11744
Posts: 9,002
User Since: 4th Jan 2009
System Score: N/A
Location: UK
I still do not understand why MS are unprofessional - they announced EOL would be April 2014.

Secunia have only just latched on to this fact & have belatedly changed the MSXML status then made A COMPLETE NONSENSE of explaining to users the best course of action.

Have I missed something?





--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+4
-0
taffy078 RE: MSXML 4.0 Thread
Contributor 28th Jul, 2014 10:30
Score: 408
Posts: 1,335
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Last edited on 28th Jul, 2014 10:31
Re "Would such programs have v4 installed within them or do they search for it elsewhere on my PC every time I start them?".

What I'm getting at is I presume that within the program (that needs v4) will be a command saying in layman's terms "look for msmxl v4 and use it".

When PSI scans does it just look at a description/title of each program i.e. name and version number, rather than actually check each line of every program? If it does, then how can it tell if someone had picked up a trojan that is buried within one of the latest versions of a program? Can it find these, in fact?

Edit: correct embolden instructions


--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
Midnight_Voice RE: MSXML 4.0 Thread
Member 28th Jul, 2014 10:37
Score: 50
Posts: 89
User Since: 1st Oct 2010
System Score: 96%
Location: UK
Last edited on 28th Jul, 2014 10:38
on 28th Jul, 2014 08:36, M.Kristensen wrote:
HI All,

Microsoft has announced MSXML 4 ( Microsoft XML Core Services) as EOL (End Of Life) and recommends MSXML 6.0 as the upgrade path - https://support.microsoft.com/gp/msxmlannounce

Being EOL, MSXML 4 will no longer receive security updates from Microsoft and is therefore a possible security threat. Thus, Secunia cannot list any versions of MSXML 4 as secure versions.

Updating to MSXML 6.0 does not uninstall MSXML 4, therefore you have to remove it manually.
Right-click the MSXML 4 entry in the Secunia PSI and select "Show Details" in order to locate the path of the files.

Deleting the files can cause some programs to stop working properly if they depend on MSXML 4, so only do so at your own risk.

Choosing to let the Secunia PSI ignore the MSXLM 4 warning leaves you at a possible security threat and is not recommended.


Only a company representative could be blind to how deeply unsatisfactory this reply is :-(

The Microsoft advice to stop using MSMXL 4.0 and upgrade to MSXML 6.0 is excellent - for the developers of products that currently operate on MSXML 4.0

But it is pointless for the users of products that currently operate on MSXML 4.0, since upgrading to MSXML 6.0 will not cause those products to dynamically switch to using 6.0 at all.

Instead, unless and until those products are upgraded by their developers, they will continue to look for the MSXML 4.0 dlls, irregardless of whther they are secure or insecure, and will fail if those dlls have been uninstalled by users anxious to keep their machines as safe as Secunia advises.

Secunia should therefore not be offering 6.0 as an upgrade for 4.0 unless, by some arcane magic they know that the person running PSI is a developer planning to replace 4.0 in his/her product(s) with 6.0. (Which of course they won't, and the developer will have a Microsoft subscription anyway, so will probably have 6.0 already).

If Secunia are really worried about MSXML 4.0, though, they need to determine which products use it (I think someone mentioned Quicken?) and flag those as insecure, and not just the dll, several layers down in the mix, that causes this insecurity.


--
A computer program can do pretty much anything the user doesn't know is impossible for it to do.

XP Home 32-bit - Compaq Presario V2000 Celeron 1.4GHz
Vista Ultimate 32-bit - Toshiba Equium A100 Centrino Duo 1.7GHz
Windows 7 Ultimate 64-bit - Dell Studio XPS 1645 Core i7-720 Quad 1.6-2.4GHz
(Also running XP Pro in Windows XP Mode 32-bit)
Windows 8.1 Home Premium 64-bit - Lenovo IdeaPad Z500 Core i5 2.6Ghz
Was this reply relevant?
+3
-0
Midnight_Voice RE: MSXML 4.0 Thread
Member 28th Jul, 2014 11:58
Score: 50
Posts: 89
User Since: 1st Oct 2010
System Score: 96%
Location: UK
Last edited on 28th Jul, 2014 12:06
on 28th Jul, 2014 10:30, taffy078 wrote:
Re "Would such programs have v4 installed within them or do they search for it elsewhere on my PC every time I start them?".

What I'm getting at is I presume that within the program (that needs v4) will be a command saying in layman's terms "look for msmxl v4 and use it".

When PSI scans does it just look at a description/title of each program i.e. name and version number, rather than actually check each line of every program? If it does, then how can it tell if someone had picked up a trojan that is buried within one of the latest versions of a program? Can it find these, in fact?

Edit: correct embolden instructions


Once compiled, programs don't have lines, as such. But looking for Trojans is the business of AV programs, not PSI.

PSI scans the properties of each program it encounters, and bases its decisions on those. One of its strengths - or perhaps its weaknesses - is that it does not look at the registry at all, so it has no idea if a program it finds is active on your system, or just an old archive copy that is no longer in use. And thus no idea at all of where it might be used, if indeed it is used at all.

Indeed, it used to religiously report older versions it found, even when you had a later version present - annoying with something like Chrome or Java where old versions can be kept by the install program of a new version, even if it undoes every hook to them in the registry - but now operates on the basis that if you have a newer version, then that is probably the one you are using, so older versions aren't flagged.

(Unless we are talking about MSMXL 4.0 where Secunia are schizophrenically both aware and not aware that 6.0 is not a user replacement for 4.0)

I imagine that programs like FileHippo Update Checker drive off the registry, which is why they go about 100 times faster than PSI.

Doesn't explain how my AV (as above) which does scan every byte of my programs, and compares them with thousands of virus signatures, can operate so much faster than PSI though, when all that has to do is collect a bunch of properties and compare those one-to-one with a database at Secunia.

--
A computer program can do pretty much anything the user doesn't know is impossible for it to do.

XP Home 32-bit - Compaq Presario V2000 Celeron 1.4GHz
Vista Ultimate 32-bit - Toshiba Equium A100 Centrino Duo 1.7GHz
Windows 7 Ultimate 64-bit - Dell Studio XPS 1645 Core i7-720 Quad 1.6-2.4GHz
(Also running XP Pro in Windows XP Mode 32-bit)
Windows 8.1 Home Premium 64-bit - Lenovo IdeaPad Z500 Core i5 2.6Ghz
Was this reply relevant?
+3
-0
xaml RE: MSXML 4.0 Thread
Member 28th Jul, 2014 16:56
Score: -5
Posts: 4
User Since: 15th Oct 2008
System Score: N/A
Location: N/A
Last edited on 28th Jul, 2014 16:57
on 21st Jul, 2014 21:18, Maurice Joyce wrote:
@xami


You see, hardly anything in this topic is a "red herring", or something which draws attention from the main issue, as long as it is related to MSXML appearing as unpatched – there is no differentiation between end of lifecycle and vulnerable as there being a vulnerability – in Secunia Personal Software Inspector.

I have read what you wrote. I have understood it. But I also get the feeling that you seem to enjoy talking down to persons in your role as... contribution handler.

Finally, it is not correct that MSXML at version 4 Service Pack 3, or 4.30.2100.0, will update via Windows Update. It will not. When I noticed MSXML in Secunia Personal Software Inspector about a week ago, I checked the details and I also ran a Windows Update scan, which did not show any results. The three security updates to MSXML 4 Service Pack 3 at version 4.30.2100.0 need to be downloaded and applied manually. Needless to say that the entry as vulnerable persists, even at version 4.30.2117.0.

And yes, it's "xaml", not "xami", so I obviously take this incredibly personal.
;)
Was this reply relevant?
+3
-4
xaml RE: MSXML 4.0 Thread
Member 28th Jul, 2014 17:08
Score: -5
Posts: 4
User Since: 15th Oct 2008
System Score: N/A
Location: N/A
on 23rd Jul, 2014 16:56, millwood wrote:
Secunia PSI says msxml4 is end of life. It does NOT say it is insecure.


Nowhere in the program does it say that the program is end of lifecycle. The section for programs in red reads "programs that need attention". As long as there is no differentiation, one is best advised to treat such a program as vulnerable. The whole issue in this case is that there are two security updates and one update for the program in question, yet Secunia both still lists it, even if all available updates are installed, as well as directing users to download a newer version of the program, even though this does not install over the program in question.
Was this reply relevant?
+3
-3
xaml RE: MSXML 4.0 Thread
Member 28th Jul, 2014 17:11
Score: -5
Posts: 4
User Since: 15th Oct 2008
System Score: N/A
Location: N/A
on 22nd Jul, 2014 09:52, jckinnick wrote:
I reran Windows Update and there weren't any new patch updates.


That is because the three updates there are, from 2009, 2012 and 2013, need to be downloaded and installed manually. I have listed the three download links in an earlier post. And was greeted with the same old copy and paste answer which seems popular in this threat, I mean thread.
Was this reply relevant?
+2
-3
taffy078 RE: MSXML 4.0 Thread
Contributor 28th Jul, 2014 18:24
Score: 408
Posts: 1,335
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Hi Maurice. I looked at the link posted by Secunia this morning and the date gave the impression that the MS Support ended three months before the announcement of the EoL. If in fact the original announcement was made before February then it would have been far better/more professional had they changed the text (about when support ended) when they reviewed/changed their announcement last week.

Thanks Midnight_Voice for those explanations.

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
Maurice Joyce RE: MSXML 4.0 Thread
Handling Contributor 28th Jul, 2014 19:16
Score: 11744
Posts: 9,002
User Since: 4th Jan 2009
System Score: N/A
Location: UK
@taffy 078
It is possible you missed this on a post from me right at the beginning.

https://1ncuig.bn1.livefilestore.com/y2pldD5Q6SyUC...

As can be seen the last review by MS was Mar 2013 which was stated on the caption - they merely changed the review date when you read it no doubt after many enquires for clarification. I challenged the EOL review date & was given what now appears was incorrect information.

The information I am personally using now is here (bottom post)

https://secunia.com/community/forum/thread/show/15...

To me there are NO lingering doubts that MSXML 4 is EOL/DEAD/DISCONTINUED. It has no replacement & users must understand there COULD repeat COULD be a risk in the future in that MS will not issue any enhancements or security patches. That is the message Secunia have got to get across by changing the way PSI is reporting the problem. As can be seen here MS Money 2005 is showing differently to MSXML 4 but they are both EOL/DEAD/DISCONTINUED.

https://1ncuig.bn1.livefilestore.com/y2pSfrabJwhpG...

MSXML should show as per MS Money then no one can doubt that MSXML 4 is truly DEAD rather than implying that MSXML can be updated by MSXML 6.

To me, Microsoft gave fair warning - sadly Secunia were slow on the uptake & gave, & continue to give, incorrect information about the whole saga hence additional threads are being created seeking help.

Does that clarify it a bit more?

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+2
-0
1_more_shield RE: MSXML 4.0 Thread
Member 28th Jul, 2014 19:42
Score: 3
Posts: 5
User Since: 20th Mar 2011
System Score: N/A
Location: US
Last edited on 28th Jul, 2014 19:44
Maurice,

I just want to say thank you for your outstanding support. As soon as I get into one of Secunia do loops, I search for your response to the issue. I don’t know how many hours I wasted in the past before finding your support.

Bill
Windows 7 Home Premium, SP1, 64-bit, OS
Dell Inspiron 580 Intel Core i3
16GB RAM
(member long before 2011)
Was this reply relevant?
+3
-0
Maurice Joyce RE: MSXML 4.0 Thread
Handling Contributor 28th Jul, 2014 20:35
Score: 11744
Posts: 9,002
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Thank you. Pleased I can help in some small way.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+1
-0
MStefani RE: MSXML 4.0 Thread
Member 28th Jul, 2014 21:44
Score: 14
Posts: 16
User Since: 28th Jul 2010
System Score: N/A
Location: US
A very strong way you or Secunia could help would be by helping us determine what applications might be dependent on MSXML 4.0

I did see a suggestion above to look at items installed at or near the same time (in the windows uninstaller) which, at least for me, provided no significant help.
Was this reply relevant?
+0
-0
MStefani RE: MSXML 4.0 Thread
Member 28th Jul, 2014 21:46
Score: 14
Posts: 16
User Since: 28th Jul 2010
System Score: N/A
Location: US
on 28th Jul, 2014 19:42, 1_more_shield wrote:
Maurice,

I just want to say thank you for your outstanding support. As soon as I get into one of Secunia do loops, I search for your response to the issue. I don’t know how many hours I wasted in the past before finding your support.

Bill
Windows 7 Home Premium, SP1, 64-bit, OS
Dell Inspiron 580 Intel Core i3
16GB RAM
(member long before 2011)


Ditto
Was this reply relevant?
+0
-0
MStefani RE: MSXML 4.0 Thread
Member 28th Jul, 2014 22:12
Score: 14
Posts: 16
User Since: 28th Jul 2010
System Score: N/A
Location: US
on 28th Jul, 2014 21:44, MStefani wrote:
A very strong way you or Secunia could help would be by helping us determine what applications might be dependent on MSXML 4.0

I did see a suggestion above to look at items installed at or near the same time (in the windows uninstaller) which, at least for me, provided no significant help.


Edit: an idea...
Rename msxml4.dll to msxml4.old

Then wait to see what fails to operate, or complains...

Comments?
Was this reply relevant?
+13
-0
Maurice Joyce RE: MSXML 4.0 Thread
Handling Contributor 28th Jul, 2014 22:44
Score: 11744
Posts: 9,002
User Since: 4th Jan 2009
System Score: N/A
Location: UK
You just beat me to it - here is my submission.

Thank you. A bit of a tall order trying to find programmes that could be dependant on MSXML 4.

In practice PSI should be showing you. If a programme is dependant on MSXML 4 then by default that programme must also be EOL as well.

Trouble is Secunia does not know when a programme is EOL unless they stumble on the fact or a user informs them. It took them 3 months to catch up with the MSXML declaration which gives some idea of the difficulty.

It could be that some have got MSXML 4 installed but have removed the dependant programme.

That said, I will try researching a bit more to see if I can help.

In the interim there is something everyone can try. PSI gives a path to where the file is that for any vulnerable/EOL items. Follow that path - in my case it looks like this:

https://1ncuig.bn1.livefilestore.com/y2pmY_fFUElFS...

The green highlighted files are the ones PSI can see.

MSXML4r.dll is the file that was installed manually to update MSXML 4 SP2.

MSXMLa.dll & MSXML4.dll were updates installed by Windows Update.

Rename those files .OLD - for example MSXML4r.dll can be renamed MSXML4r.dll.OLD

Once complete PSI will go green & give a genuine 100% score. In slow time test each programme you have installed - if any fail then you have the answer.

There is no hurry to complete this action - there is NO suggestion that MSXML 4 SP3 V 4.30.2117.0 is vulnerable.

If you do manage to find the programme & wish to keep it & MSXML 4 then simply reverse the renaming action.

Hope this helps a bit more.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+6
-0
Maurice Joyce RE: MSXML 4.0 Thread
Handling Contributor 28th Jul, 2014 23:00
Score: 11744
Posts: 9,002
User Since: 4th Jan 2009
System Score: N/A
Location: UK
@xaml

Is it surprising that members are voting to close your ranting. They are MISLEADING posts & it clearly shows you have not done any research at all.

1. You seriously mislead @taffy078 with your entry on HP Printers & I assume he rightly marked your entries accordingly.

2. Members are now voting on your latest ramblings. You really should check your facts before posting. Secunia were correct in their Blog about MSXML 4 - it is here & makes it CRYSTAL CLEAR that once SP3 is installed manually Windows Update will keep it updated. In other words ONLY MSXML 4 SP2 requires MANUALLY updating to MSXML 4 SP3 before Windows Update kicks in.

The Blog is here:
https://secunia.com/blog/why-microsoft-xml-core-se...

and the relevant bit is here:

https://1ncuig.bn1.livefilestore.com/y2p30U0YP2Qg9...

MSXML version 4.30.2110.0 was SP 3 - since then MS have kept it up to date which now stands at 4.30.2117.0.

Are you seriously trying to inform the Forum that:

a. The Blog by Secunia is incorrect? If so why have you not commented before as it is over a year old?

b. That the abridged version of the update solution I produced for @jckinnick from my original thread of 2+ years ago is incorrect? If so, how do you account for so many members using the solution in the past & fixing the problem? How do you also explain that I retested the procedure after your last INCORRECT submission on this thread about manual updates & it worked perfectly on my Windows 7 32Bit test PC?

c. Are you suggesting that I have joined your club & make it up as I go along?

Unlike you I do not normally vote with my 25 point allocation which includes those who write misleading & factually incorrect claptrap like you.

Personally I could not give a fig on what you think about me - I stand by what I write which I research & where possible test before submission to the Forum. Members can then vote accordingly. Try my formula - it is not rocket science.

Reply if you like but I will not respond - a complete waste of my valuable time.


--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+11
-0
MStefani RE: MSXML 4.0 Thread
Member 28th Jul, 2014 23:15
Score: 14
Posts: 16
User Since: 28th Jul 2010
System Score: N/A
Location: US
Last edited on 28th Jul, 2014 23:18
on 28th Jul, 2014 22:44, Maurice Joyce wrote:
You just beat me to it - here is my submission.

Thank you. A bit of a tall order trying to find programmes that could be dependant on MSXML 4.

In practice PSI should be showing you. If a programme is dependant on MSXML 4 then by default that programme must also be EOL as well.

[snipped]

Hope this helps a bit more.

Great, thanks. My fear was that renaming them (thus effectively removing them at least temporarily) might crash something functional in windows which would therefore prevent me from undoing the change...
I've done the rename and will post any detected issues here.
Was this reply relevant?
+0
-0
Maurice Joyce RE: MSXML 4.0 Thread
Handling Contributor 28th Jul, 2014 23:31
Score: 11744
Posts: 9,002
User Since: 4th Jan 2009
System Score: N/A
Location: UK
@xaml

A correction to my last post - on double checking I note it was not you that mislead @taffy078 re HP printers. My apologies.

The remainder of the post stands as written.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
taffy078 RE: MSXML 4.0 Thread
Contributor 29th Jul, 2014 09:00
Score: 408
Posts: 1,335
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Last edited on 29th Jul, 2014 09:11
@Maurice 28th July 19:16. I vaguely remember earlier comments about the actual date of the MS notice being pre-February. Having looked again, I now find that both you and steffens pointed it out.

If I were a boss of a small business whose IT guy had suggested taking up CSI, the first thing that I would do would be to look at the PSI forum to 'get a flavour'. And if I did, I would not be at all impressed by the fact that so many (most? all?) of your constructive, helpful and correct criticisms of Secunia are totally ignored by them. It never used to be this way and I find it sad.

Edit to add: Perhaps Secunia Support haven't the time nowadays to actually read the forums?


--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
bonnie23 RE: MSXML 4.0 Thread
Member 29th Jul, 2014 13:21
Score: 1
Posts: 20
User Since: 8th Nov 2009
System Score: 100%
Location: US
I think I'm understanding what your saying..

In reference to two of your comments:
1. MSXML 6 & MSXML 3 are pre-installed on Windows Vista/7 SP1/Windows 8 & 8.1 and the latest versions are supported. MSXML 3 is represented by msxml3.dll which helps to parse XML documents in IE.

“I am running Win 7 SP1 64 Bit”

2. MSXML 3 & 6 are managed by Microsoft and my advice is to leave them well alone - the versions numbers for each OS are different so be careful when reading other posts & trying to compare against your set up - let MS manage them via Windows Update.

“I have_ MSXML 4 version number 4.30.2117.0”

My question with all this confusion is: I have no idea if I have MSXML 3 & 6 installed on my desktop, and how do I find them? The “SysWOW64” folder is showing 2,418 files in it. If your very certain I have them pre-installed I’m giving up on this issue for now and wait to see what MS does. According to your information as long as I have MSXML 4 version (4.30.2117.0) I don’t need to be concerned.

Thanks for all your input...you’ve helped me in the past.


--
bonnie23
Was this reply relevant?
+0
-0
Maurice Joyce RE: MSXML 4.0 Thread
Handling Contributor 29th Jul, 2014 14:10
Score: 11744
Posts: 9,002
User Since: 4th Jan 2009
System Score: N/A
Location: UK
@Bonnie23

When you complete a scan with PSI does it show this?

https://1ncuig.bn1.livefilestore.com/y2pEVvzUt5KfF...

If so you have 3 & 6 & you are OK.

Once you confirm the status of 3 & 6 I can update on MSXML 4.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
bonnie23 RE: MSXML 4.0 Thread
Member 29th Jul, 2014 20:25
Score: 1
Posts: 20
User Since: 8th Nov 2009
System Score: 100%
Location: US
Last edited on 29th Jul, 2014 20:26
@Joyce

I feel so stupid...looking further down the list in PSI I'm seeing a couple versions of 3 & 6 and all are showing "up to date". When I posted.. it was about 3 or 4 am and I was kind of tired. None the less normally I would have thought, well let me look down the page to see if their are any other MSMXL programs and are they up to date, but I didn't.
Going into the "sysWOW64" folder confused me as I wasn't seeing anything about MXL files.
Shhhh ( I'm 67 yrs old) and self taught.

The answer to your question is yes, When doing a scan within Secunia all versions are showing up-to-date except for what is highlighted in green from your link, that being 4.x 4.30.2117.0

FYI...I am still using PSI 2.0 because when they upgraded to 3.0 I didn't like the fact that the browser tab went missing. Have been using 2.0 with no problems and have taken care of any issues without going to the help forum. I haven't looked, but if there is no newer version of PSI with the browser tab I'll stay with 2.0.

Thanks again...

--
bonnie23
Was this reply relevant?
+1
-0
Maurice Joyce RE: MSXML 4.0 Thread
Handling Contributor 29th Jul, 2014 21:28
Score: 11744
Posts: 9,002
User Since: 4th Jan 2009
System Score: N/A
Location: UK
I am 70+ but still having a good time!

You look OK to me - do not worry about MSXML 3 & 6 - Microsoft takes care of them for you via Windows Update.

Your MSXML 4 is up to date & secure but please bare in mind it is End of Life. That means that Microsoft will not fix any problems or security issues in the future.

I have the same dilemma & have decided to ignore the End of Life notification. In my case I think the risk of doing this is worth taking.

Everyone must make his own judgement on what to do.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+1
-0
klscoper RE: MSXML 4.0 Thread
Member 31st Jul, 2014 22:56
Score: 0
Posts: 26
User Since: 24th Oct 2011
System Score: N/A
Location: US
Thanks, Maurice. You posted to my question and asked me to review WHAT TO DO in another thread. I did that and understand what you wrote. You need to know, you must have done a good job for me to understand it.

My MSXML 3 & 6 are fine and in tact. My MSXML 4 is version 4.30.2117.0. Secunia has that version noted at the top of the box under "Programs that need updating" indicating that I'm at 98%. I have tried clicking to update it. I click "Save File" but then my only option is to cancel out. Any idea how to get it to show the updated version in Secunia???

Thanks again!
Was this reply relevant?
+0
-0

klscoper

RE: MSXML 4.0 Thread
[+]
This reply has been deleted
Maurice Joyce RE: MSXML 4.0 Thread
Handling Contributor 31st Jul, 2014 23:59
Score: 11744
Posts: 9,002
User Since: 4th Jan 2009
System Score: N/A
Location: UK
You cannot - PSI is giving totally false information on the course of action to take.

MSXML 4 V4.30.2117.0 is End of Life. Microsoft will not update it or fix any security issues in the future.

Knowing that you can complete any of these actions to remove the Secunia warning:

1. Create an ignore rule. I have elected to do this having carried out a Risk Assessment.

2. Uninstall it

3. Rename it

If you carry out 2 or 3 the old programme(s) you have installed dependant on MSXML 4 will fail when you try to use them.

If you want to Rename it a script & information on what renaming does is here:

https://secunia.com/community/forum/thread/show/15...

Hope this helps.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+1
-0

L1NGUS

RE: MSXML 4.0 Thread
[+]
This reply has been deleted
klscoper RE: MSXML 4.0 Thread
Member 1st Aug, 2014 03:15
Score: 0
Posts: 26
User Since: 24th Oct 2011
System Score: N/A
Location: US
Thanks, again, Maurice. This time I REALLY did get it. I've chosen to ignore. LOL!

Kathy
Was this reply relevant?
+0
-0
triggerhippyfr RE: MSXML 4.0 Thread
Member 2nd Aug, 2014 11:11
Score: 0
Posts: 13
User Since: 17th Feb 2010
System Score: N/A
Location: FR
Big big Thx to You maurice for all your help and good advices all along this thread !!!

i choose to listen to your advice and rename my 2 MSXML 4.0 dlls ,

and after the new secunia psi scan , the result is 100 % !!! Hallelujah !!! ;) :) :) :)

Was this reply relevant?
+2
-0
mywonex RE: MSXML 4.0 Thread
Member 6th Aug, 2014 14:06
Score: 2
Posts: 13
User Since: 11th Oct 2013
System Score: N/A
Location: FR
HI, again today there is an advertising about MSXML 4 end of life and MSXML 6 to be updated...

But I already have MSXML 6 which is updated by Microsoftw is:
"intended as an upgrade path for existing MSXML3 and MSXML4 users except for users that leverage some of the older ProgIDs and technologies in MSXML3 and MSXML4. "

So there is nothing to do unless "hide" this advertise in PSI.. waiting for a possibleimprovement of MSXML detection..

Have a good day
Was this reply relevant?
+0
-0
jckinnick RE: MSXML 4.0 Thread
Member 11th Aug, 2014 20:59
Score: 6
Posts: 143
User Since: 21st May 2010
System Score: N/A
Location: N/A
Just checking back in its been two weeks and still no fix for this?
Was this reply relevant?
+0
-0
MStefani RE: MSXML 4.0 Thread
Member 11th Aug, 2014 21:33
Score: 14
Posts: 16
User Since: 28th Jul 2010
System Score: N/A
Location: US
on 28th Jul, 2014 23:15, MStefani wrote:
Great, thanks. My fear was that renaming them (thus effectively removing them at least temporarily) might crash something functional in windows which would therefore prevent me from undoing the change...
I've done the rename and will post any detected issues here.

Well, it's been a couple of weeks, and so far nothing has failed or complained.
Was this reply relevant?
+0
-0
jckinnick RE: MSXML 4.0 Thread
Member 11th Aug, 2014 22:38
Score: 6
Posts: 143
User Since: 21st May 2010
System Score: N/A
Location: N/A
Do you have 100% now?
Was this reply relevant?
+0
-0
taffy078 RE: MSXML 4.0 Thread
Contributor 14th Aug, 2014 07:52
Score: 408
Posts: 1,335
User Since: 26th Feb 2009
System Score: 100%
Location: UK
is this

http://secunia.com/community/forum/thread/show/151...

a completely different issue?

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
taffy078 RE: MSXML 4.0 Thread
Contributor 14th Aug, 2014 07:52
Score: 408
Posts: 1,335
User Since: 26th Feb 2009
System Score: 100%
Location: UK
is this

http://secunia.com/community/forum/thread/show/151...

a completely different issue?

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
Mikey83 RE: MSXML 4.0 Thread
Member 15th Aug, 2014 14:34
Score: 1
Posts: 1
User Since: 15th Aug 2014
System Score: N/A
Location: US
I renamed the file rather than remove it.
What broke?
As already noted, Quicken 2014 stopped working.

PaperPort 12 stopped working. This software came with my brother printer; it works with the scanner. This product is no longer supported.
Was this reply relevant?
+1
-0
rusty.07 RE: MSXML 4.0 Thread
Member 18th Aug, 2014 22:28
Score: 0
Posts: 8
User Since: 18th Apr 2014
System Score: N/A
Location: US
on 31st Jul, 2014 23:59, Maurice Joyce wrote:
You cannot - PSI is giving totally false information on the course of action to take.

MSXML 4 V4.30.2117.0 is End of Life. Microsoft will not update it or fix any security issues in the future.

Knowing that you can complete any of these actions to remove the Secunia warning:

1. Create an ignore rule. I have elected to do this having carried out a Risk Assessment.

2. Uninstall it

3. Rename it

If you carry out 2 or 3 the old programme(s) you have installed dependant on MSXML 4 will fail when you try to use them.

If you want to Rename it a script & information on what renaming does is here:

https://secunia.com/community/forum/thread/show/15...

Hope this helps.



Renaming the file to .old will work, but I am concerned that .old files can be removed by some file cleaning tools (CCleaner, Easy Cleaner, etc.)
Was this reply relevant?
+1
-0
MStefani RE: MSXML 4.0 Thread
Member 18th Aug, 2014 22:34
Score: 14
Posts: 16
User Since: 28th Jul 2010
System Score: N/A
Location: US
on 18th Aug, 2014 22:28, rusty.07 wrote:
Renaming the file to .old will work, but I am concerned that .old files can be removed by some file cleaning tools (CCleaner, Easy Cleaner, etc.)
Rename them to any file extension you like as long as it's not something windows needs (like exe, com, etc.)
Was this reply relevant?
+1
-1
patdrummond RE: MSXML 4.0 Thread
Member 25th Aug, 2014 19:44
Score: -3
Posts: 4
User Since: 29th Jan 2012
System Score: N/A
Location: CA
Last edited on 25th Aug, 2014 20:11
Thank you Maurice Joyce for info about msxml4.dll from MSXML 4.30.2117.0. I followed the Secunia update instructions for MSXML updates. Now showing version 4.30.2117.0 but still not ok. How can it be still "supported"? I finally renamed the dll file and shall wait to see what breaks. <sigh>

[FYI I got into a similar loop trying to get the "reply" button to work. Turned off all my browser security addons]

I wonder if MS did not update my MSXML 4 because it was installed with an old WinXP program...
Was this reply relevant?
+0
-0
Maurice Joyce RE: MSXML 4.0 Thread
Handling Contributor 2nd Sep, 2014 09:16
Score: 11744
Posts: 9,002
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Thread reopened as questions are still being asked on this subject.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
ddmarshall RE: MSXML 4.0 Thread
Dedicated Contributor 2nd Sep, 2014 15:28
Score: 1210
Posts: 961
User Since: 8th Nov 2008
System Score: 98%
Location: UK
For those who want to try to find out which applications are using MSXML 4.0, a method to scan executable files for references to msxml.dll has been posted on Superuser.
http://superuser.com/questions/802001/remove-c-win...

I tried this on an old Vista system which appears to have had MSXML 4.0 installed by the OEM. It didn't find anything apart from Microsoft files like old copies in the side-by-side store and unbcl.dll which just seems to be checking which versions of MSXML are installed. Obviously these shouldn't be messed with. It seems either that nothing needed MSXML 4.0 or that the programs that needed it have been uninstalled or updated. On the other hand, it might not work in all cases.

The scan takes a very long time. You can restrict the scan to Program Files or Program Files (x86), instead of the whole C: drive, to speed it up a bit.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+1
-0
rusty.07 RE: MSXML 4.0 Thread
Member 6th Sep, 2014 05:06
Score: 0
Posts: 8
User Since: 18th Apr 2014
System Score: N/A
Location: US
on 18th Aug, 2014 22:34, MStefani wrote:
Rename them to any file extension you like as long as it's not something windows needs (like exe, com, etc.)



Even if a .old file can be removed by files cleaning tools?
Was this reply relevant?
+0
-0
MStefani RE: MSXML 4.0 Thread
Member 6th Sep, 2014 05:20
Score: 14
Posts: 16
User Since: 28th Jul 2010
System Score: N/A
Location: US
on 6th Sep, 2014 05:06, rusty.07 wrote:
Even if a .old file can be removed by files cleaning tools?
If you are trying to make them appear removed to Secunia but keep them available then of course don't change the extension to anything that would be removed by a cleaner app!
Was this reply relevant?
+0
-0
patdrummond RE: MSXML 4.0 Thread
Member 11th Sep, 2014 03:01
Score: -3
Posts: 4
User Since: 29th Jan 2012
System Score: N/A
Location: CA
on 2nd Sep, 2014 09:16, Maurice Joyce wrote:
Thread reopened as questions are still being asked on this subject.


Thank you - I get SO frustrated by threads that are closed when I search for answers dated only a month ago and cannot reply.
Was this reply relevant?
+0
-0
jckinnick RE: MSXML 4.0 Thread
Member 11th Sep, 2014 12:27
Score: 6
Posts: 143
User Since: 21st May 2010
System Score: N/A
Location: N/A
So my laptop with Windows 8 is still at 99%, but my other laptop with Windows 7 is now at 100% why is that?
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer