Recently released statistics indicate that the patching of the end of life and unsupported MSXML 4.0 SP2 is not really improving.

Secunia have just released their Quarterly Country statistics[1] where they use the data gathered from their private / home user product to provide a country by country view of vulnerable software.

Earlier this year I posted my thoughts and experiences around MSXML 4.0 not being able to autoupdate. This post is the most popular article on my blog, receiving constant daily traffic and making up around 62% of all my traffic. It's also garnered visitors from some interesting government networks (which I hope is defense rather than offense). In this earlier post I reference a Secunia article indicating that approx 39.5% of all US Home PCs that have PSI installed have out of date versions of MSXML installed.

In the Q1 2014 USA Country Statistics[2] the Statistics for MSXML aren't much better. According to Secunia Microsoft MSXML Core Services (MSXML) is installed on approx 79% of all machines, and is unpatched 46% of the time (I sought clarification from Secunia on the unpatched 46% of the time figure and they confirmed that 99% of those unpatched are MSXML 4.0 SP2 or earlier). That equates to approx 36% of US machines having unsupported, insecure software installed. Because MSXML is a plugin in Internet Explorer that equates to a large number of machines that could be exposed to exploit.

It's probably also worth pointing out that MSXML has a higher Marketshare and a higher Unpatched rate than Java 1.7 which has been the target of a large number of exploits over the recent years.

All in all it still appears that updating of MSXML 4.0 SP2 is not occuring, even when users have software installed , such as Secunia PSI, which is designed to assist in keeping their computers up to date.

If anyone has any thoughts on MSXML 4.0 SP2 and the vulnerabilities it introduces please drop me a comment below.


I'm also investigating whether Secunia can offer some statistics on the number of machines with missing MSXML updates that have third party browsers installed, as third party browsers are likely to be a mitigating factor for successful exploitation of vulnerabilities in Internet Explorer.

18 June 2014 - Update from Secunia#####

It's taken me a while to update this post. The researchers at Secunia have been able to crunch some figures for me and it appears that in May almost 92% of computers with unsupported versions of MSXML have one of the other major browsers installed (Chrone, Firefox, Opera, or Safari). That's not to say that they're being used. To the best of my knowledge the MSXML add-on isn't available in these other browsers, and if users aren't using Internet Explorer they wouldn't be exposed to exploits targeting MSXML.

I would hazard a guess that corporate environments would have a lower percentage of Windows computers with another browser installed and may be vulnerable to any updated attacks against MSXML.

1 -

2 -