Monday, January 07, 2013

Security issues with MSXML

This is a quick & dirty blog post, partially to help a friend reach out to the world, and partially because I'm affected as well. Correction: was affected. Now removed & patched at the same time.

At my previous job one of my tasks was to manage & improve the security patch management process across all platforms, from operating systems and databases to browsers & plugins. Sometimes even down to firmware & driver updates, because of bugs and vulnerabilities. My primary focus was - no surprise - Windows installations and pretty much everything that can be installed on Windows. I did that for more than 5 years. 10-15K servers, 100-150K clients. I did well. Very well in fact, and I'm still proud of it.

Many surprises have appeared along the way, the most recent has to do with MSXML, which comes to light in this blog post.

According to our always trustworthy source, Wikipedia, MSXML versions 3, 4, 5 and 6 are current, as in still supported by Microsoft. For any reasonable purposes in 2013, MSXML 6 is what you want. Probably the 64-bit version, to be exact. Please note the fine print: MSXML 4.0 SP3 is the current version of 4.x, while SP2 reached EoL in 2010.

So here's the thing: It seems like there is a ton of applications still out there that will silently install MSXML 4.0 SP2 onto your computer. Microsoft Update, including WSUS and SCCM,  will not detect, warn or update MSXML 4.0 SP2. No patches for SP2, no SP3, no post-SP3 patches.

Yes, chances are lots of people at their home computers, as well as organisations large and small are at risk.

I know that Secunia PSI detects MSXML 4.0SP2, but it seems their default link to fix leads to Windows Update - which doesn't detect, warn or update. Woohoo!

As far as I & others have been able to figure out, Microsoft has no published rational logic for why they do not detect MSXML 4.0 (SP2) AND offers SP3 as an automated install through Windows Update. The end result of this is that personal users, as well as most organisations - need to use control panel or third-party tools to detect vulnerable installations, and do even more manual work to either remove and/or update to supported versions.

Any reasons for this behavior Microsoft?

Ps: links to tools and/or lists on the Internet that will enable me and others to figure out which applications that silently install MSXML 4.0 SP2 are most welcome!

1 comment:

  1. Several versions of the SAP GUI Client 7.20++ installs a SAP "branded" msxml4.msi dated back to 2006.

    Funnily installing the SP3 does not remove the reference to SP2 (2x -> KB954430 & KB973688), nor the MSXML4.0 from SAP.


All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.