Zombies in our midst

Topic

New Reply

I may be raising issues here which have been previously addressed in The Lounge or in Susan Bradley’s Patch Watch column in Windows secrets Newsletter. But I have done a bit of searching and not found the information I am asking about in this post.

I was looking over my Windows 7 installation, remembering that Secunia says 70 percent of PSI scans show an old and insecure version of MSXML installed in Windows 7 PCs, even though this version was never included in Windows 7. The current version seems to be MSXML 6, while this Zombie Version is MSXML 4. On my Windows 7 SP1 PC, SP2 had been applied, but I’d never even gotten an update notice from MS Updates to upgrade to SP3 for this version.

Well, once I found this little monster, it was dispatched to the Cosmic Bit-Bin by Geek Uninstaller. Nothing seemed to be using it, and no other Folders or Registry Entries were located for removal.

Is SP3 for this version (MSXML 4.3.x) considered insecure, or is Secunia only referring to SP2 (version 4.2.x)? This posting makes the whole matter about as clear as mud. This article makes it clear as day that NO version of MSXML 4 should now be on ANY Windows PC. It is not supported and possibly not secure even in SP3 (version 4.3.x). Do NOT attempt to upgrade. So I will not be adding back any version of MSXML 4. (This may not be entirely true if there are third-party Windows 7 programs with current versions which still depend on MSXML 4.)

BTW, it appears (based on the wikipedia article) that if you have IE 9 or higher on Windows 7, there is also no need to have MSXML 3 in any Service Pack on the computer.

All of these Supported or Unsupported and Needed or Unneeded inferences are my own, based on only a few online articles. So anyone may correct me if I am wrong about MSXML 3 and MSXML 4 no longer being needed on Windows 7 PCs not running old versions of long-since updated software .

I wonder how many old versions of C++ and other runtimes are also Zombies, lurking in our PCs and waiting to become insecure and vulnerable to attack? Which ones should we remove, and could any current Windows 7 software be affected by removing the older versions?

I am amazed that Microsoft would never have issued Update Notices about these old, insecure packages, given that there are now exploits for at least some of them. And never to have pushed MSXML 4 SP3 through MS Updates? Disgraceful!

-- rc primak

Reply | Quote

Replies

Is SP3 for this version (MSXML 4.3.x) considered insecure, or is Secunia only referring to SP2 (version 4.2.x)?

No, only SP2.

Why didn’t Secunia PSI alert you to this and install SP3 three years ago?

Bruce

Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

Reply | Quote

No, only SP2.

Why didn’t Secunia PSI alert you to this and install SP3 three years ago?

Bruce

Thanks for the info.

I am not sure where (or when) the MSXML 4 came from. Good to know that SP3 is OK, but I’d still rather not have something unsupported on my PC than take a risk of future insecurity issues.

Microsoft seems to have really dropped the ball on this one, not sending an update through MS Update which would have forced the upgrade to MSXML 4 SP3 when it became available, or at least when SP2 became no longer supported. All of which is moot now, since SP3 is also considered no longer supported. Removal of all versions of MSXML 4 seems to me to be the best strategy, unless that would break some software.

My more general question relates to other items which Microsoft has not seen fit to announce, where components or runtimes have become insecure and at a minimum should be replaced or updated.

In answer to the question about PSI, I haven’t used it since PSI 3 came out. The dumbed-down interface really put me off. Until recently, I had never run into a security issue like this one. None that I know of, anyway.

-- rc primak

Reply | Quote

I don’t know if this applies to you but at some point, maybe still, MSBaseline Security Analyzer required MSXML SDK and Parser. On my system I have Ver 4.XXxxX. I am guessing that would have included MSXML Ver4. A newer version may indeed work.

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

I don’t know if this applies to you but at some point, maybe still, MSBaseline Security Analyzer required MSXML SDK and Parser. On my system I have Ver 4.XXxxX. I am guessing that would have included MSXML Ver4. A newer version may indeed work.

One of many, many possibilities.

Some have reported that games have installed MSXML 4.2.x. Others may have gotten it through software. Some free software might still have it, but only if it was written for IE 8 or earlier. Paid software should be free of such old versions by now, but one never knows…

I still would prefer that Microsoft should have announced End of Life for MSXML 4, and that it would no longer be supported in any version. That should have been announced three years ago. And if such an announcement was made, it should have been accompanied with a MS Update which would remove MSXML 4 completely. Purely optional, but in the main batch of monthly updates. The same should happen when and if C++ and other runtime libraries age out.

Other companies do this sort of thing. In fact, Flash Player can no longer be updated from Adobe’s installers without running their Flash Uninstaller first. But if you’re getting Flash player from Microsoft (if you are running Widnows 8), you are at MS’s mercy about when or if they update Flash Player. They do however, remove the older versions when updating Flash Player. So why not do the same for other plugins and runtimes?

I still don’t know whether to get rid of all the C++ 2005 stuff from my Windows 7 laptop. Is that version now insecure and obsolete, or does current software still use it? What about C++ 2008? And many other stuff which ages out, but Microsoft never even offers to clean up their mess.

Upaters like PSI do tell us when there are new versions available. But except for security issues, I have yet to see an update advisor program which tells us when to uninstall older but not yet insecure versions of software and components. Especially when few if any programs are still using these old versions.

Isn’t there some way to scan a Windows computer and determine if there are still any programs on the PC which depend on ancient versions of plugins and Windows Libraries? And then to alert users to upgrade the programs if that would remove those dependencies (thus allowing users to remove the ancient components)?

-- rc primak

Reply | Quote

Upaters like PSI do tell us when there are new versions available. But except for security issues, I have yet to see an update advisor program which tells us when to uninstall older but not yet insecure versions of software and components. Especially when few if any programs are still using these old versions.

On what criteria could that be based? Secunia PSI also identifies EOL software which may become vulnerable as it’s no longer supported. I don’t see how it could go any further.

Bruce

Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

Reply | Quote

I have not been forced to explore it much but Dependency Walker may address your issue:
http://support.microsoft.com/kb/256872
http://www.dependencywalker.com/

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

I have not been forced to explore it much but Dependency Walker may address your issue:
http://support.microsoft.com/kb/256872
http://www.dependencywalker.com/

What I would like to do is, upon finding some component to be End of Life, to do the reverse of what Dependency Walker seems to be doing. I want to look at the component, and find out if any programs are still using it. Thus predicting whether removing the EOL component will break my programs. I don’t want to discover breakage at some later time by accident. This is what PSI is not doing for me. I should take a closer look at PSI’s results to see if it is indeed flagging EOL components even when there are no known security issues.

So, if C++ 2005 is End of Life and C++ 2008 is also End of Life, provided all my other programs are up to date, will anything significant break if I remove all traces of these two older versions of C++ from Windows 7? Are these components still receiving security patches from MS Updates? How can I test for whether something may break if I remove these older versions?

Microsoft has a page full of tables about C++ packages. these tables I find confusing. All three packages currently on my Windows 7 machine (2005, 2008 and 2010) appear to be in some sort of Extended Support. What does this mean?

-- rc primak

Reply | Quote

Microsoft has a page full of tables about C++ packages. these tables I find confusing. All three packages currently on my Windows 7 machine (2005, 2008 and 2010) appear to be in some sort of Extended Support. What does this mean?

Start of Lifecycle->End of Life = Mainstream Support; normal stuff
Extended Support = End of Life has been declared, but we will continue to issue patches, if only to fix security issues
Service Packs kind of extend mainstream support: MS tends to support products for a specific amount of time (such as 5 years). When they issue a service pack, that is almost like a new product and the service pack is usually supported for that amount of time (such as another 5 years). If a service pack (SP2) is issued 3 years after initial release (or another service pack, SP1), extended support [read _all support of any kind_] for the initial release (or another service pack, SP1) ends 3 years before extended support for SP2.
Help?

You are correct in being cautious abut deleting C++ runtimes; they are not completely backwards compatible. A command in C++ 2005 may be declared “deprecated” in C++ 2007 and no longer be supported in C++ 2010. Just because a program is “up to date”, that does not mean it has been modified to use a later C++ runtime.

Reply | Quote

Bob
Good questions can be hard to answer. Maybe we need an Unpatched Watch.

PS I am wondering why Windows Secrets was unavailable for at least 15 minutes this morning..

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

Bob
Good questions can be hard to answer. Maybe we need an Unpatched Watch.

PS I am wondering why Windows Secrets was unavailable for at least 15 minutes this morning..

I get outages of the Windows Secrets Newsletter and/or The Lounge from time to time. I think it’s an ISP or Network issue most of the time. The bits get tired travelling all the way from the West Coast to the Midwest, it seems 😉 .

Once in a long while, it might be appropriate to review End of Life Windows components which are not yet at the point of being outright insecure. Along with Recommendations as to Remove or Keep. Perhaps a Lounge Thread with a Table?

In any event, I think I’m clear about C++. Probably best to keep the 2005 and 2008 (not 2007) versions unless advised to remove them for security reasons. When/if it’s a security issue, let the breakages fall where they may.

Now if only we could get the Chrome/Chromium Browsers to update to Pepper Flash 14.0.0.145 for Linux… (Firefox for Linux was updated — although it’s stuck at Flash Player version 11.2.x — two days ago.)

Update: It took ten days, but all Linux versions of Chromium and Firefox should now have updated Flash Player plugins, as of July 16, 2014.

-- rc primak

Reply | Quote

Update:[/B] It took ten days, but all Linux versions of Chromium and Firefox should now have updated Flash Player plugins, as of July 16, 2014.

Even better idea: Why isn’t Pepper API available as a Flash Player alternative, especially on Linux? I find it impossible to understand why Chrome (and Chromium, with one alteration, which isn’t all that hard in Linux Mint) are the only two browsers supporting Pepper. Nothing else is allowed to access it. This is very disturbing, especially when some Flash apps work incorrectly in Chrome/Chromium, regardless of OS!

Reply | Quote