Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: MSXML 4

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Microsoft
And, this specific program:
Microsoft XML Core Services (MSXML) 4.x

This thread has been marked as resolved.
julio999 MSXML 4
Member 10th May, 2010 22:48
Ranking: 0
Posts: 6
User Since: 7th Mar, 2010
System Score: N/A
Location: N/A
Last edited on 10th May, 2010 23:31

I've uninstalled all of the MSXML 4's that are related to sp2 and I installed the MSXML 4 SP3 and Secunia is still showing 2 insecure programs and both of the MSXML core services that are showing as insecure have been uninstalled. I read an earlier thread from secunia that told me to uninstall the sp2 core services and install the new MSXML SP3 and everything would be fine. Wrong. As I said. Secunia still shows that I have them installed and they're insecure. Can I get some help please? 4 hours is enough spent on this without success.
Am I also supposed to install anything else. I read something about MSXML 6?

Post "RE: MSXML 4" has been selected as an answer.
Anthony Wells RE: MSXML 4
Expert Contributor 10th May, 2010 23:39
Score: 2445
Posts: 3,332
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 10th May, 2010 23:42
@julio999,

For someone to help you , they will need to know the the details of the OS you are using and the location :ie: the "installation path" of the "insecure" MSXML files that PSI is reporting . The more details you provide the better . You will need to use PSI in "advanced" mode to find/give the relevant info.

Anthony

PS: this problem would be better posted in the "Programs" Forum (for future reference)

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
julio999 RE: MSXML 4
Member 10th May, 2010 23:55
Score: 0
Posts: 6
User Since: 7th Mar 2010
System Score: N/A
Location: N/A
C:\$Upgrade~OS\OnlineMigGatherWork\agentmgr\CCSIag ent\005A53BA\sxsAsm4\msxml4.dll that is the installation path. I followed it and found those entries. Are they supposed to be deleted on each one? My OS is Windows 7 Home Prem. 32 bit.
Was this reply relevant?
+0
-0
ddmarshall RE: MSXML 4
Dedicated Contributor 11th May, 2010 01:01
Score: 1209
Posts: 961
User Since: 8th Nov 2008
System Score: 98%
Location: UK
I think this folder is created when doing an upgrade from Windows Vista to Windows 7. So it can probably be ignored safely.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+1
-0
julio999 RE: MSXML 4
Member 11th May, 2010 01:35
Score: 0
Posts: 6
User Since: 7th Mar 2010
System Score: N/A
Location: N/A
When I open the folder where it says the vulnerability was detected they are still listed as a .dll .There are 3 entries in the folder, one is qn application extension/MSXML4.dll. The second one is named Security Catalog, the third one is a MANIFEST file. The 2 latter ones have identical partial registry strings with them. So what do I do ? Ignor them ,delete them or what. I already uninstalled the MSXML 4 SP2 entries and installed via windows update the MSXML 4 SP 3 update KB973865.
Was this reply relevant?
+0
-0
ddmarshall RE: MSXML 4
Dedicated Contributor 11th May, 2010 10:23
Score: 1209
Posts: 961
User Since: 8th Nov 2008
System Score: 98%
Location: UK
I would ignore them.

For information about whether this folder can be deleted, try this forum:

http://social.answers.microsoft.com/Forums/en-US/w...

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+0
-0
julio999 RE: MSXML 4
Member 11th May, 2010 16:04
Score: 0
Posts: 6
User Since: 7th Mar 2010
System Score: N/A
Location: N/A
Thanks for the link to MS. I wrote up a thread, let's see what they have to say about it. Right now I have those 2 weird files under ignore until I hear better. I just hate to use that if I don't have to.
Was this reply relevant?
+0
-0
julio999 RE: MSXML 4
Member 11th May, 2010 17:15
Score: 0
Posts: 6
User Since: 7th Mar 2010
System Score: N/A
Location: N/A
As I said I'd contact Microsoft and I did and they or someone I should say posted right back. The said I should rename the files .OLD and wait a week to make sure there was no boo-boos or crashes and if after that things were ok I could delete them, but first he suggested that I burn them as a backup just in case. Makes sense to me as I back everything up anyway. So, thanks for your help in dealing with this. I've already renamed the .dll's. I left the Manifest and Security Catalog files as is . Re-ran and re-booted to see what Secunia would come up with and it all came up good. No "Insecures". Hopefully that all did the trick.
Was this reply relevant?
+0
-0
Maurice Joyce RE: MSXML 4
Handling Contributor 12th May, 2010 19:10
Score: 11743
Posts: 9,000
User Since: 4th Jan 2009
System Score: N/A
Location: UK
@Julio999
To give U "sweet tea & reassurance" U have got a handle on it. U should not ignore MSXML issues.

Your Windows 7 installation should now have these items visible:

These should be the Patched files in PSI

Microsoft XML Core Services (MSXML) 4. 4.30.2107.0

Microsoft XML Core Services (MSXML) 6. 6.30.7600.16385

These entries should be in Control Panel>Add/Remove

MSXML 4.0 SP3 Parser version 4.3.2107.0
MSXML 4.0 SP3 Parser (KB973685) version 4.3.2107.0

For interest, my bog standard MSXML reply gives the background to MSXML as I note U also mentioned MSXML 6.

WINDOWS MSXML DETAILS
+++++++++++++++++++++
This gives an overview & a possible fix for MSXML 4 problems.

MSXML 6.0.
+++++++++
MSXML6 is the latest MSXML product from Microsoft, and (along with MSXML3) is shipped with Microsoft SQL Server 2005, Visual Studio 2005, .NET Framework 3.0, Windows Vista, Windows 7 and Windows XP Service Pack 3. It also has support for native 64-bit environments. It is an upgrade but not replacement for versions 3 and 4 as they still provide legacy features not supported in version 6. Version 6, 4, and 3 may all be installed and running concurrently. MSXML 6 is not supported on Windows 9x. Windows XP SP3 includes MSXML 6.0 SP2.

MSXML 5.0
+++++++++
MSXML5 is a binary developed specifically for Microsoft Office. It originally shipped with Office 2003 and also ships with Office 2007. Microsoft has not released documentation for this version as they consider it an internal/integrated component.

MSXML 4.0
+++++++++
MSXML4 was shipped as an independent, downloadable SDK targeted at Independent Software Vendors and third parties. It is an upgrade for but not a replacement to MSXML3 as version 3 still provides legacy features. Versions 4 and 3 may be run concurrently.

MSXML 4.0 SP3 is the most recent version released in March 2009, SP2 support expired in April 2010.

The release notes for MSXML 4.0 SP3 are here:

http://download.microsoft.com/download/A/2/D/A2D85...

The download link is here:
http://www.microsoft.com/downloads/details.aspx?fa...

If U do require to update your current MSXML4 Secunia picks it up as secure with version 4.30.2107.0 provided U have downloaded the additional patch via MS Update.

MSXML 3.0
+++++++++
MSXML3 is a current MSXML product, represented by msxml3.dll. MSXML 3.0 SP2 first shipped with Windows XP, Internet Explorer 6.0 and MDAC 2.7. Windows XP SP2 includes MSXML 3.0 SP5 as part of MDAC 2.81. Windows 2000 SP4 also ships with MSXML 3.0. By default, Internet Explorer version 6.0, 7.0 and 8.0 use MSXML 3 to parse XML documents loaded in a window. MSXML 3.0 SP7 is the last supported version for Windows 9x. Windows XP SP3 includes MSXML 3.0 SP9. Windows Vista also includes MSXML 3.0 (SP10).

If this post has solved your problem could you please select the ACCEPT option (against the post that helped U the most). This will lock the thread and stop you & I from receiving unnecessary update emails.

Revision 2.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
julio999 RE: MSXML 4
Member 12th May, 2010 19:51
Score: 0
Posts: 6
User Since: 7th Mar 2010
System Score: N/A
Location: N/A
Thanks for the added knowledge. I can always use these added tidbits of info. I have the MSXML files patched as you described below. I did uninstall the MSXML4.0 files that were obsolete once I installed the MSXML 4.0 SP3. I did have those leftover (Upgrade files). Someone at Microsoft explained that I needed to rename those .dll's old and once I was comfortable that they weren't causing problems I could remove them permanently. That's the route I took. So far so good and Secunia is happy too.
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability