none
MSXML 3.0, 4.0 and 6.0

    Question

  • I have been assigned to find-out what certain machines (7(32/64)/2008 R2(32/64) and 2003 R2(32) are reporting thru NESSUS Tool as outstanding for the MSXML 4.0 SP2. The article reference by Nessus is dated as 12/2013 and the releases for MSXML 3/4/6 for SP3 are not available.While surfing I find out there is a Dowload stand alone new release for MSXML 3.0 SP11 dated 2/2014. reading a couple articles I found the MSXML 3.0 is limited version of MSXML 6.0 for backword compatibility and legacy support. The MSXML 4.0 is being superseded by MSXML 6.0. I have not found the lates version for MSXML 6.0 as a stand alone download. My worstation it does contain a MSXML 3.0 SP11 matching the download stand alone version I found, but I also have MSXML 6.0 SP3. Is there a resdtributabled or framework version .net that loads these dll to the target marchine. I have found out for instance Windows Vista machines does include this dll out of the box. I also have read that SQL Server 2005 provides MSXML 6.0 dll when down loaded. Is there any one that they coud guide me to find these dlls?  

    michael john ocasio


    • Edited by mjocasio23 Friday, February 28, 2014 11:21 PM
    Friday, February 28, 2014 10:29 PM

Answers

  • SP3 is an old one.......As I said I only had found out a stand alone security update for MSXML 3.0 SP11 dated in 2/14. The more current ones for MSXML 4.0 AND 6.0 are dated back in 12/2013. It leaves me to the conclusion that it wasn't a security update done by WSUS so it most have to be done by a software product such as Visual Studio, Framework and there are others.... like SLQ Server 2005/2008.

    Generally speaking, MSXML service packs are not available via AU/WU/MU/WSUS.

    As particularly applies to the MSXML 4 product, this is a very unique scenario, because MSXML was built and distributed exclusively by ISVs to support their products. MSXML v4 SP2 is the current version, but SP2 was not released to AU/WU/MU/WSUS. There is also a Security Update (Critical) for MSXML v4 SP2, that is not available for MSXML v4 SP1 (or RTM) - and most ISVs distributed the RTM/SP1 versions, not the SP2 version.

    I discuss this entire scenario in a PatchZone blog post at

    http://thwack.solarwinds.com/community/application-and-server_tht/patchzone/blog/2013/10/16/have-you-patched-your-msxml-40-installations

    Also note the comments where a recent blog post has expanded on information relevant to the MSXML4 scenario.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    • Marked as answer by mjocasio23 Tuesday, March 11, 2014 12:17 PM
    Friday, March 07, 2014 3:28 AM
    Moderator
  • The XML DevCenter is here: http://msdn.microsoft.com/en-US/data/bb190600.aspx

    The dedicated XML forum is here: http://social.msdn.microsoft.com/Forums/en-US/home?forum=xmlandnetfx

    The most recent XML security bulletin (which contains a lot of useful information for the topic) is here: https://technet.microsoft.com/en-us/security/bulletin/ms14-005

    This blog post by the XML team discusses how XML is now an OS component: http://blogs.msdn.com/b/xmlteam/archive/2010/07/02/msxml6-is-now-in-band-msi-setup-headaches-should-now-almost-be-gone.aspx

    This KB article discusses versions of XML: https://support.microsoft.com/kb/269238

    I have not found a simple answer to the question: How do I get SP3 for XML6.0?
    (in case that is the question you are asking)

    On my example Win7SP1 32bit pc, I have c:\windows\system32\msxml6.dll, version 6.30.7601.17988 dated 1/11/2012 (1st November 2012). I'm not exactly sure what implemented this version on this pc, but I suspect it was a security update.
    EDIT: probably MS13-002 gave me this version.
    http://support.microsoft.com/kb/2757638


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)




    • Edited by DonPick Saturday, March 01, 2014 9:39 AM
    • Marked as answer by mjocasio23 Saturday, March 01, 2014 6:00 PM
    Saturday, March 01, 2014 9:32 AM
  • With the machines that are in compliance; other words they do not have MSXML version 4.0 installed but it does have the latest for MSXML 3.0 AND 6.0.

    MSXML 6.0 SP3 Version 6.30.7601.17988 (MS13-002 -- KB2757638)

    MSXML 3.0 SP11 Version 8.110.7601.18334 (MS14-005 – KB2916036)

    Should we assume these machines never had the MSXML 4.0

    That seems a reasonable assumption. Perhaps more relevant that they don't have it now; probably not much relevant whether they did or did not have it in the past.
    or it was removed by latest Windows malicious SOFTWARE removal tool (KB890830).
    Uh, no, that's not within the scope of operations performed by the MSRT.

    Is this a unnecessary effort to find out why machines never had this MSXML assuming they were build with the same image template?

    I would think the previous descriptions of where MSXML4 comes from should address thsi question. MSXML4 was distributed ONLY BY ISVs with their products that required an a MSXML engine. If you didn't install an ISV product using MSXML4 on your reference machine, then there's absolutely no reason to think there would be instances of MSXML4 cloned throughout your environment. Any machines that do have MSXML4 almost certainly acquired it due to a post-image application installation.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    • Marked as answer by mjocasio23 Wednesday, March 12, 2014 12:50 PM
    Tuesday, March 11, 2014 4:26 PM
    Moderator

All replies

  • The XML DevCenter is here: http://msdn.microsoft.com/en-US/data/bb190600.aspx

    The dedicated XML forum is here: http://social.msdn.microsoft.com/Forums/en-US/home?forum=xmlandnetfx

    The most recent XML security bulletin (which contains a lot of useful information for the topic) is here: https://technet.microsoft.com/en-us/security/bulletin/ms14-005

    This blog post by the XML team discusses how XML is now an OS component: http://blogs.msdn.com/b/xmlteam/archive/2010/07/02/msxml6-is-now-in-band-msi-setup-headaches-should-now-almost-be-gone.aspx

    This KB article discusses versions of XML: https://support.microsoft.com/kb/269238

    I have not found a simple answer to the question: How do I get SP3 for XML6.0?
    (in case that is the question you are asking)

    On my example Win7SP1 32bit pc, I have c:\windows\system32\msxml6.dll, version 6.30.7601.17988 dated 1/11/2012 (1st November 2012). I'm not exactly sure what implemented this version on this pc, but I suspect it was a security update.
    EDIT: probably MS13-002 gave me this version.
    http://support.microsoft.com/kb/2757638


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)




    • Edited by DonPick Saturday, March 01, 2014 9:39 AM
    • Marked as answer by mjocasio23 Saturday, March 01, 2014 6:00 PM
    Saturday, March 01, 2014 9:32 AM
  • SP3 is an old one.......As I said I only had found out a stand alone security update for MSXML 3.0 SP11 dated in 2/14. The more current ones for MSXML 4.0 AND 6.0 are dated back in 12/2013. It leaves me to the conclusion that it wasn't a security update done by WSUS so it most have to be done by a software product such as Visual Studio, Framework and there are others.... like SLQ Server 2005/2008. I am leading towards the Framework..... thank for the links they are helpful


    michael john ocasio

    Saturday, March 01, 2014 5:11 PM
  • SP3 is an old one.......As I said I only had found out a stand alone security update for MSXML 3.0 SP11 dated in 2/14. The more current ones for MSXML 4.0 AND 6.0 are dated back in 12/2013. It leaves me to the conclusion that it wasn't a security update done by WSUS so it most have to be done by a software product such as Visual Studio, Framework and there are others.... like SLQ Server 2005/2008.

    Generally speaking, MSXML service packs are not available via AU/WU/MU/WSUS.

    As particularly applies to the MSXML 4 product, this is a very unique scenario, because MSXML was built and distributed exclusively by ISVs to support their products. MSXML v4 SP2 is the current version, but SP2 was not released to AU/WU/MU/WSUS. There is also a Security Update (Critical) for MSXML v4 SP2, that is not available for MSXML v4 SP1 (or RTM) - and most ISVs distributed the RTM/SP1 versions, not the SP2 version.

    I discuss this entire scenario in a PatchZone blog post at

    http://thwack.solarwinds.com/community/application-and-server_tht/patchzone/blog/2013/10/16/have-you-patched-your-msxml-40-installations

    Also note the comments where a recent blog post has expanded on information relevant to the MSXML4 scenario.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    • Marked as answer by mjocasio23 Tuesday, March 11, 2014 12:17 PM
    Friday, March 07, 2014 3:28 AM
    Moderator
  • Just one more thing..... With the machines that are in compliance; other words they do not have MSXML version 4.0 installed but it does have the latest for MSXML 3.0 AND 6.0.

    MSXML 6.0 SP3 Version 6.30.7601.17988 (MS13-002 -- KB2757638)

    MSXML 3.0 SP11 Version 8.110.7601.18334 (MS14-005 – KB2916036)

    Should we assume these machines never had the MSXML 4.0 or it was removed by latest Windows malicious SOFTWARE removal tool (KB890830).

    Is this a unnecessary effort to find out why machines never had this MSXML assuming they were build with the same image template?

    thanks

     

    michael john ocasio

    Tuesday, March 11, 2014 12:39 PM
  • With the machines that are in compliance; other words they do not have MSXML version 4.0 installed but it does have the latest for MSXML 3.0 AND 6.0.

    MSXML 6.0 SP3 Version 6.30.7601.17988 (MS13-002 -- KB2757638)

    MSXML 3.0 SP11 Version 8.110.7601.18334 (MS14-005 – KB2916036)

    Should we assume these machines never had the MSXML 4.0

    That seems a reasonable assumption. Perhaps more relevant that they don't have it now; probably not much relevant whether they did or did not have it in the past.
    or it was removed by latest Windows malicious SOFTWARE removal tool (KB890830).
    Uh, no, that's not within the scope of operations performed by the MSRT.

    Is this a unnecessary effort to find out why machines never had this MSXML assuming they were build with the same image template?

    I would think the previous descriptions of where MSXML4 comes from should address thsi question. MSXML4 was distributed ONLY BY ISVs with their products that required an a MSXML engine. If you didn't install an ISV product using MSXML4 on your reference machine, then there's absolutely no reason to think there would be instances of MSXML4 cloned throughout your environment. Any machines that do have MSXML4 almost certainly acquired it due to a post-image application installation.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    • Marked as answer by mjocasio23 Wednesday, March 12, 2014 12:50 PM
    Tuesday, March 11, 2014 4:26 PM
    Moderator
  • Just one more question, what is the acronym for ISV? (Independent Software Vendor)

    thank you for your help...

     

    michael john ocasio


    • Edited by mjocasio23 Wednesday, March 12, 2014 12:57 PM
    Wednesday, March 12, 2014 12:50 PM
  • We decided to remove the MSXML4.0 SP 2 and previous version due to the LET coming this next month instead of upgrading to MSMXL 4.0 SP 3. We have machine servers with Windows Server 2003 SP 1 and Windows Server 2008 R2 SP 1. At the client side we have Windows 7 SP. I learned that when applications are redistribute using windows installer there is progid associate to a MSXML x.x component bundle to that application. In a system where there are multiple applications using MSXML and someone tries to un-install the latest you get a warning describing the dependency. I just don't know how descriptive the warming that it will actually list the application or applications affected by removing this DLL. As I stated earlier we decided to remove any version of MSXML 4.0 present in our machines but we have not found a quick and efficient way to do this minimizing risks that may impact the operation of the machine. Thru the KB patch we have narrow the list of OS platform that it will impact. What we can not get around is with the third party software that might require the redistribution of MSXML 4.0. The approach that management approved was to identified the party software present in the machine and research the requirements for installation. The second approach was to rename the MSXMl 4.0 in the system folder and launch 3rd app and notice if there any break. My judgement is that both approaches are lengthily and tedious. Is there a better approach to identified 3rd party applications associated with MSXML 4.0? I am planning to follow the steps to remove the MSXML 4.0 dll and see if the warning will point to the application or applications affected. I am also aware this MSXML 4.0 writes the progid to the registry file and I was wondering if I could retrieve the entry in the registry that we give me a clue if this application needs this MSXML. Any suggestions are welcome

    michael john ocasio

    Saturday, March 29, 2014 9:08 PM