Update - 2014-07-15:
All versions of MSXML 4.0 are no longer supported by Microsoft and will not receive any further security updates.

If you don't need MSXML 4.0, you should uninstall it. If you require MSXML 4.0 you should, at a minimum, ensure you've upgraded from SP2 to SP3 (this requires a manual update, and is available from Microsoft).

See my blog post, And it's official, MSXML 4.0 SP3 is out of support! for more information.

And now, back to your original broadcast.....

I know I'm beginning to look like a bit of a one trick pony now, but here's my latest findings about MSXML 4.0 SP3. It turns out that I may be wrong and MSXML 4.0 may still be under extended support for Windows 2003, Vista, and 2008.

Late last week I lodged a support request with Tenable to update their MSXML Unsupported Nessus plugin (62758[1]). Earlier today I received a response and was advised that MSXML 4.0 SP3 may still be under extended support with Microsoft. They pointed at the MSXML 4.0 SP3 release notes[2] where Microsoft state:

MSXML 4.0 SP3 is supported on the following operating systems:
· Windows 2000
· Windows Server 2003
· Windows XP
· Windows Vista
· Windows Server 2008

Support will follow the policy for Windows service packs listed at http://support.microsoft.com/default.aspx?pr=lifesupsps#Windows.

Because of this MSXML 4.0 SP3 may still be supported on some operating systems. This still leads to further questions about why MSXML 4.0 isn't mentioned anywhere on the MS14-033[3] bulletin. I've dropped Microsoft's security team an email to try and get to the bottom of this, and will write up another post when I have a response.

See my blog post, And it's official, MSXML 4.0 SP3 is out of support! for more information.


1 - http://www.tenable.com/plugins/index.php?view=single&id=62758

2 - http://download.microsoft.com/download/A/2/D/A2D8587D-0027-4217-9DAD-38AFDB0A177E/MSXML4%20SP3%20RTM%20Release%20Note.htm

3 - https://technet.microsoft.com/en-us/library/security/MS14-033