/ MSXML

MSXML 4.0 SP3 is no longer supported (via MS14-033)

A quick skim through MS14-033 has led me to discover that my all time favourite piece of Microsoft Software, MSXML 4.0, has been unsupported since the 12th of April 2014.

I've just had a quick browse over Microsoft's June Security Bulletins and noticed that my all time favourite Microsoft Product, MSXML Core Services (see MSXML 4.0 SP2 - When Microsoft software can't and won't auto update and Statistics for unsupported MSXML 4.0 SP2 are not improving), has a security vulnerability that has been identified in MS14-033[1]. This time it's an "Important", Information Disclosure, vulnerability.

Due to my interest in MSXML 4.0 I had a look to see whether it was affected, and unfortunately there is no mention of it anywhere in the bulletin. The closest thing is the following quote:

The affected software listed in this bulletin has been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, see the Microsoft Support Lifecycle website.[1]

When I searched for XML Core Services in the aforementioned Microsoft Support Lifecylce Website I was pleasantly surprised that Support for MSXML 4.0 SP3 ended on the 12th of April 2014[2].

Unfortunately there's no further details on exactly how this vulnerability is exposed in MSXML 3.0 and 6.0, so it's hard to determine if this would affect the unsupported 4.0.

It looks like my concerns over MSXML 4.0 just expanded to include MSXML 4.0 SP3 now that it is unsupported. I'll be very interested in seeing how many devices have an unsupported version of MSXML on them now. I'd be hazarding a guess that it's closer to 100% than 0%.

I'm off to my suite of vulnerability management tools to see what sort of detection is available and how many devices are affected.


1 - https://technet.microsoft.com/en-us/library/security/MS14-033

2 - https://support.microsoft.com/lifecycle/search/default.aspx?sort=PN&alpha=Microsoft+XML+Core+Services&Filter=FilterNO