/ Secunia

And it's official, MSXML 4.0 SP3 is out of support!

As anyone who's been following my journey with MSXML 4.0 you'll be glad to know that there is a definitive answer from Microsoft. All versions of MSXML 4.0 (including SP2 and SP3) are no longer supported, and will no longer receive security updates (from April 2014). My advice - uninstall it if you're not using it, or use Microssoft's EMET to stop IE exposing MSXML when on the internet.

Feedback from Microsoft.

I emailed the Microsoft Security Response Center to confirm whether the vulnerability in MS14-033 applied to MSXML 4.0 SP3, and to confirm the support status of MSXML 4.0. After a few emails back and forth they confirmed that their page on the Microsoft MSXML 4 (Microsoft XML Core Services) Support Lifecycle Policy [1] was able to answer my questions. It directly answered my question about support status, and indirectly implied that MSXML 4.0 may be affected by MS14-033 and any future vulnerabilities in MSXML. Their page states:

Microsoft will continue to support MSXML 4.0 by shipping updates for Service Pack 3 of MSXML 4.0 until the end of support on April 12th, 2014.[1]

That solves it once and for all, MSXML 4.0 SP3 is no longer supported. The page also states the following:

Unlike other MSXML versions that were shipped with Microsoft products, Microsoft MSXML 4 was shipped out-of-band and did not originally take a Support Lifecycle. To clarify the Support Lifecycle situation for customers, MSXML 4 will be defined as a "Tool."

A "Tool" is defined as a utility or feature that aids in accomplishing a discrete task or a limited set of tasks. Major Tool versions receive a minimum of 12 months notification prior to the end of support. Otherwise, support ends contemporaneously with the product versions for which they are intended (for example, Microsoft Windows).[1]

And this helps make a bit more sense of confusion around it's support, MSXML 4.0 is a "Tool" and is supported as such.

The page itself was also a little bizarre. As you'll see, the page doesn't have the typical Microsoft Support 'feel' to it, and even more bizarrely I can't seem to find it through either Google, Bing, or even Microsoft.com's search bar. It's as if the page isn't referenced from anywhere else. The wayback machine does have a copy of this page going back to 2011[2], so we this support policy isn't a recent decision by Microsoft.

What does this mean? Uninstall all instances of MSXML 4.0.

If you're like a vast majority of Windows users out there, you're very likely to have some version of MSXML 4.0 installed - be that SP2 or SP3. If you're asking yourself "Do I really need MSXML 4.0 SP2?" or "Do I really need MSXML 4.0 SP3?" I've only come across one or two applications that require some version of MSXML 4.0. My advice to improve your security (and general state of computer cleanliness) is to add MSXML 4.0 to the same list as Java, Adobe Shockwave, and any other piece of software that're installed and not using and uninstall it. Simply open your control panel and uninstall it from either "Add/Remove Programs" or "Programs and Features".

Unfortunately there isn't one single app to uninstall, you'll need to go through each installation and security update in your program listing and remove them one by one. I've created a list commands to uninstall each application in another blog post.

EDIT: You can also install and configure Microsoft's EMET to stop Internet Explorer exposing MSXML when on the internet.

Let me know if you come across any applications that need MSXML 4.0 in the comment fields below, and I'll then collate them here on one site.

Status of Vulnerability Management Tools.

So far I've been in touch with Tenable, Rapid7, and Secunia. They've each got slightly different support models but I expect they'll update their products very shortly (in fact I'll update this post as I hear back from them).

Tenable - 2014-07-16
Tenable have updated their Nessus plugin 62758[3] to reflect that all versions of MSXML 4.0 are now unsupported. It took them just over 24 hours for them to update their plugin. Kudos to them for acting so quickly. This is typical of my excellent experience when working with the Tenable support and development teams.

Secunia - 2014-07-14
Secunia have updated PSI to reflect that all versions of MSXML 4.0 are unsupported and end-of-life. Secunia took under 24 hours to update their detection, however they do one weird thing with the update when you click on "update now", instead of linking to an advisory to uninstall MSXML 4.0 they direct users to the Microsoft download page for MSXML 6.0. MSXML 6.0 is installed by default in XP SP3, Vista, Windows 7, and Windows 8.1, and they link provided is only valid for Windows 2000 Service Pack 4, Windows Server 2003, Windows Server 2003 Service Pack 1, Windows XP Service Pack 1, and Windows XP Service Pack 2 - all of which are now unsupported operating systems. I have written to them suggesting a link to suggest uninstalling MSXML 4.0 instead of upgrading to 6.0.

Secunia - 2014-07-17
After writing to Secnia they have advised that the file signatures department has "turned down my suggestion about changing the link, as they have to follow the officially stated solution by Microsoft, which is to upgrade to version 6.0".

Rapid7 - 2014-07-15
Rapid7 are yet to get back to me, but going on my last disclosure to them I assume that they'll update Nexpose to detect MSXML 4.0 SP3 as unsupported.

Qualys - 2014-07-16
I've emailed Qualys asking for confirmation on whether they detect MSXML 4.0 as unsupported.

Qualys - 2014-07-18
Per the comments section below Qualys have released 105576 titled "EOL/Obsolete Software: Microsoft XML Parser and Microsoft XML Core Services (MSXML) 4.0 Detected".

Is this the end for MSXML 4.0 and me?

I think that I'm getting pretty close to the end now. I haven't seen any sort of exploit written for the large number of machines that have MSXML 4.0 SP2, and I'm not aware of any exploits currently available for MSXML 4.0 SP3. That said, I'll be keeping my ear to the ground for any active exploits as well as any security bulletins that relate to MSXML 3.0, 5.0, or 6.0 - as they might indicate something that will perpetually be vulnerable in 4.0.

What else have I learned?

The interesting thing that I've observed during this series is that I'm getting a slow and steady stream of readers from all over the globe. The most frequently visited page is my original post on MSXML 4.0 SP2 being unable to auto-update. It seems to me that people are still finding it difficult to find specific information on the status and security of MSXML 4.0.

Now, I'm off to think of my next topic to investigate and blog about. Until then, happy uninstalling MSXML...... or happy installing EMET..........


1 - https://support.microsoft.com/gp/msxmlannounce - (this site is no longer available, but is available via the wayback machine - https://web.archive.org/web/20140720094303/http://support.microsoft.com/gp/msxmlannounce, additionally https://support.microsoft.com/en-au/lifecycle?C2=1198 provides support life-cycle information)

2 - https://web.archive.org/web/20111022193529/http://support.microsoft.com/gp/msxmlannounce

3 - http://www.tenable.com/plugins/index.php?view=single&id=62758