XML Core Services 4.0 vulnerability on Windows 7 – unpatched and vulnerable for several years

Topic

New Reply

This from IT: I previously made a comment (been a year or so) about this issue XML Core Services 4.0 Vuln on Windows 7 – unpatched and vulnerable for
[See the full post at: XML Core Services 4.0 vulnerability on Windows 7 – unpatched and vulnerable for several years]

Reply | Quote

Replies

I remember this one. Secunia PSI was detecting it well before a year ago. I removed it from my Win 7 Home laptop long ago. At the time, it did appear it was either Quicken or QuickBooks which were among the top offenders in installing this old and insecure version. The original source seems to have been IE5 or IE6.

This ranks up there with Adobe’s Flash Player and Apple’s QuickTime as among the most chronic security offenders in the Windows ecosystem. If possible, all readers should run a vulnerability checker and remove all instances of this version ASAP.

Reply | Quote

Secunia PSI does a good, quick scan that’ll pick up this one, too.

Reply | Quote

Dear Woody
I am always nervous re installing and uninstalling.
Checked pc and I do have MSXML 4.0 SP2 with a date 5/8/2014 KB973688. Is it safe to leave or should I infact uninstall it.
Glenda

Reply | Quote

How would I know what program invited this in? I don’t want to “break” something I’m using by uninstalling it and I’d also like to know if whatever program it came with will still function properly after updating this to SP3? Can somebody answer these questions?

Looking in Programs and Features I see three entries with “MSXML 4.0 SP2” in them. Sorting by date I see only one other entry installed on the same day as one of them. There are no other programs installed for 8 months prior.

Here’s what I’m seeing followed by the installed on date…

MS Visual Studio 2005 Tools for Office Runtime – 3/15/2010

MSXML 4.0 SP2 Parser and SDK – 3/15/2010

MSXML 4.0 SP2 (KB954430) – 3/17/2010

MSXML 4.0 SP2 (KB973688) – 3/17/2010

Reply | Quote

If you’re not sure I would leave it but upgrade it to the SP3 version and then run Windows Update to get the security patches for SP3. Download link to SP3 is here, https://www.microsoft.com/en-us/download/details.aspx?id=15697.

Reply | Quote

Thanks for the info. Yes it is an older issue almost forgotten by everyone. It may be considered by Microsoft as part of the legacy products like Windows XP or older versions of other discontinued products and the vulnerability not serious enough to deserve an update.
If still needed, it would be a good idea to update to the latest version available.

Reply | Quote

First off, thanks for the information! I found your site in the early days of GWX and it’s saved me a lot of heartburn.

It looks like MSXML SP2 came onto my machine from a 2012 version of Quicken Home. (Judging by the install date.) 2015 Home and Business doesn’t seem to use MSXML at all, going from the task manager lists of running and available services.

NOTE: I found that installing SP3 does NOT remove SP2. It must be uninstalled manually through “Programs and Features”. Only one update for SP3, KB2758694. Now to check the other computer…

Reply | Quote

Update: Quicken Home and Business 2013 brought it in, too. Sigh.

Reply | Quote

I am confused about what I am supposed to do. I have MSXML 4.0 SP2 (KB973688) in my Control Panel > Programs > Programs & Features.

Reply | Quote

This looks like a new QuickTime type of issue, discussed not long ago.
I think there is no need for panic, but a little extra care and common sense while browsing the web is needed. This is not unusual advise and useful at any time.
If known that is not needed, the known insecure software should be uninstalled.
If still needed, update to the latest version available, which is presumably more secure than the previous one.

Reply | Quote

Except that you actually can *really* uninstall QuickTime. With MSXML4, you are stuck with tons of different versions of the abandoned junk (due to the horrible side-by-side idea, acknowledged as complete brainfart by MS themselves and abandoned with MSXML6) and uninstalling the one version available in the control panel does nothing useful to remove the rest. :-(((

Reply | Quote

MSXML4 has reached end of life. That includes MSXML4 SP3. It’s been out of support since April 2014.

https://msdn.microsoft.com/en-us/library/jj152146(v=vs.85).aspx

https://support.microsoft.com/en-us/lifecycle/search/default.aspx?sort=PN&alpha=Microsoft%20XML%20Core%20Services

Apps are supposed to use MSXML6 instead.

I think you should remove all instances of MSXML4 on your machine unless you require it for something. That is, uninstall all KBs that are listed as MSXML4 (SP2 or SP3). There can be many listed.

Here are some more resources:

https://altonblom.com/s34e09/
https://altonblom.com/s34e10/

Reply | Quote

I purchased a custom made Win7 Home Premium several years ago. When I checked the updates that were listed and ran PSI (Secunia), it listed this one as being insecure. I asked the tech about it, and he stated that it was best to leave it there because there could possibly be “updates” that needed it.

Being the novice that I am I just left it there, where it still remains. Also had that
advice from other techs subsequently. I’m very confused about it. I uninstalled Quick Time ages ago. That’s all I know, and it isn’t much.

Here is an old reference I had in my bookmarks from “way back when”:

https://support.microsoft.com/en-us/kb/973688

Reply | Quote

Just checked Secunia, and it has this one listed as “end of life” NOT as insecure. It is version 4.20.9876.0.

Reply | Quote

To a non-techie, this issue seems to be pretty complicated, and there are several quite-different versions of advice above on how best to deal with it.

The Secunia article linked to in the main blog post above is from October 2013. Is this issue still a major problem in May 2016? Not trying to be flippant, just trying to figure out how much time I, as a non-techie, should spend in trying to understand this and in tinkering with my computer.

Is there a site that explains in a basic way what exactly to look for in one’s computer and what to do, step-by-careful-step, about curbing the risks that this problem seems to introduce?

In the meantime, it feels that, at least for someone like me who does not have an advanced level of computer knowledge, the safest action would be to leave things as they are, and not start uninstalling a number of kbs and programs, and downloading standalone updates from the MS site which are now apparently for an obsolete program.

Reply | Quote

Except that after uninstalling QuickTime, components of what used to be exclusively in QuickTime are now in iTunes. There are dependencies everywhere and difficult to control without having full information and the time and tools to do it.
Yes, it is a lot of junk left behind when uninstalling and OS upgrades in place are not very helpful in eliminating it.

Reply | Quote

poohsticks: That sounds like absolutely the best advice with this situation for those of us who are “non-techies”!!

I agree with your assessment, and thank you for posting it!!

Reply | Quote

Question, if you have 6.0 are you in the clear?

Reply | Quote

6.0 doesn’t have the problems that 4.0 has. Er, had.

Reply | Quote

Following up on this post: I had this issue: I even had it yesterday when inserting a CD from one of those Imaging centers to view the results of some MRI/CT studies I had! From only a few years ago. It required XML core services SP2 (from before 2009) to run. I am on Windows 10 64-bit now. Do a Google search to find out what it is and how they work.

The programs listed in the comments are likely a reason it was installed on your PC. Program developers were encouraged to use MSXML 6 to code, but some are legacy products, etc……
Quicken 2013 Deluxe
QuickTime
Visual Studio Older versions (Likely the 2005 version someone mentioned)

-I am willing to bet that it was Visual Studio 2005 that installed it on your Windows 7 PC. Windows 7 does not natively ship with MSMXL v4, but programs install it. They were likely built on older versions. Note that trying to install MSXML v6 over this one won’t fix the issue.

If you read in the MSFT KB article, SP3 is a complete replacement of all of the previous versions. When you install the msxml.msi file (2.3mb), it is in essence replacing all of the previous updates (v4 SP!, SP2, etc. After installing SP3 (which for some reason Microsoft decided must be manually installed) – reboot your PC, then run Windows update. Once you have installed all of the Security Updates and rebooted – that’s all you can do. It is an EOL’D software. But, by not updating to SP3, you are opening yourself to more vulnerabilities (those Affecting MSXML 4 SP2 and above.

Ok here’s why I think it is a problem: There are Enabled Add-ons in IE. Reports of exploitation are likely due to this. Open up Internet Explorer, Click on Tools, Manage Add-One, then on the left middle part of the Manage Add-ons Window, Click the dropdown menu and select:

Run Without Permission.

If you have v4 installed you will likely see some or all of the following below:

XML DOM Document 4.0
FreeThreaded XML DOM Document
XML Schema Cache 4.0
XSL Template 4.0
XML Data Source Document 4.0
XML HTTP Document 4.0

So, essentially you have these unpatched EOL’D add-ons in Internet Explorer. That puts you at risk for Exploitation, and that’s likely why it’s #2 on Secunia/Flexera’s list of the Top 50 Vulnerabilities.

I suppose you could try disabling them

Reference:

https://technet.microsoft.com/en-us/library/security/ms13-002.aspx

http://secunia.com/community/forum/thread/show/13191/are_you_trying_to_fix_a_problem_with_msxml_4

https://www.askwoody.com/2016/xml-core-services-4-0-vulnerability-on-windows-7-unpatched-and-vulnerable-for-several-years/

http://searchsecurity.techtarget.com/answer/How-can-Microsoft-XML-vulnerabilities-be-mitigated

Disclaimer: I am not a professional, and am not responsible for any errors, lost files, or any problems with your PC that may result from anything in this article and comment. Just CMA here.

Reply | Quote