none
Uninstalling Old MSXML Parser Versions RRS feed

  • Question

  • My network team recently sent me a Nessus Scan for my Windows 2012 servers. On it is listed a 'critical' issue of 'Microsoft XML Parser (MSXML) and XML Core Services Unsupported'.  I checked the server and lo and behold there are some MSXML#.dll files in there for version 3 (in addition to version 6).

    To clean up the report I'd like to remove the old version, but I can not find a method to do this.  It doesn't show up in windows features, uninstall programs, etc.  What is the proper way to remove the old version?  Simply delete the DLL?  Or something more involved?

    These servers are Windows 2012 R2 Datacenter edition.  They were setup only a couple of months ago and while I don't recall installing old XML Parsers, it's possible it was auto installed or a coworker did it.

    Thanks

    H


    Tuesday, August 4, 2015 6:47 PM

All replies

  • Does Nessus say why it considers it a 'critical issue'?  I am generally hesitant to take the word of many of these scanning programs because they have to find something in order to be of 'value'.  I just installed a 2012 R2 system.  It has both version 3 and version 6 files.  If they were a 'critical issue', I am sure Microsoft would have done something about it. 

    My first order of business would be to determine why Nessus thinks it is a critical issue.  Then if you still want to remove them, backup the system, and delete the files you don't want.


    . : | : . : | : . tim

    Tuesday, August 4, 2015 10:40 PM
  • The 'critical' issue that our report claims is that it's 'out of support'.  If deleting the DLLs is all that's necessary, that'd be a great and simple fix.

    Thanks

    Thursday, August 6, 2015 2:56 PM
  • Hi H,

    Since the result is evaluated by third party soft please get their help about the root reason, same time please keep the following recommended settings when we use the security soft on Windows Server.

    Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows

    https://support.microsoft.com/en-us/kb/822158

    I’m glad to be of help to you!


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com


    Wednesday, August 12, 2015 7:23 AM
    Moderator
  • We had a recent Nessus scan and had this on multiple servers, ranging from Server 2008 R2, Server 2012 and Server 2012 R2.

    The results were:

    The remote Windows host contains unsupported XML parsers.

    http://support.microsoft.com/kb/269238
    http://msdn.microsoft.com/en-us/library/jj152146(v=vs.85).aspx

    Path: C:\Windows\SysWOW64\msxml4.dll
    File version: 4.20.9818.0
    XML Core version: 4.0 Post SP3 (KB2758694)
    EOL date: 2014/04/12
    EOL announcement: http://support.microsoft.com/gp/msxmlannounce
    Supported versions : 5.10.2930.0 / 6.0 or greater.

    On the 2008 R2 servers, there were at least two items listed in Programs and Features:
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)

    Uninstall works fine, but the DLL still remains in C:\Windows\SysWOW64.

    The Server 2012 and Server 2012 R2 do not show anything to uninstall in Programs and Features.

    If MSXML 4 is no longer support, how do you remove it?

    Thank you.

    Aaron

    Wednesday, August 19, 2015 2:19 AM
  • Did you ever get an answer? or just remove the DLL?

    I have the same issue.

    Thanks..

    Monday, August 1, 2016 3:19 PM
  • Hi!

    Were you able to find a solution or is it just to remove the .dll? I ran into the same problem with a recent scan.

    Thanks!

    Tuesday, September 27, 2016 4:26 PM
  • Did anyone find a solution on removing the xml parser or did you just remove the .dll?

    Wednesday, March 1, 2017 2:52 PM
  • I too am interested in this isssue - has anyone just deleted the files?
    Wednesday, May 10, 2017 1:07 PM
  • We are dealing with this too, and looking at the impact of just deleting the file. I'll report back findings!
    Wednesday, May 24, 2017 3:17 PM
  • We have been renaming the DLL.  Removing would also probably work but we were just being extra careful.  We have a script that renames it to msxml4.OLD and run it against the network every once in a while.  That seems to satisfy the scanner and if a malicious program does try to call msxml4.dll it will not be able to.
    Tuesday, June 27, 2017 7:40 PM
  • We ended up just deleting it. No one hollered.
    Thursday, July 13, 2017 7:44 PM
  • What a lazy response!

    I'm horrified to see a suggestion that involves manually deleting an installed and registered component, and the recommendations regarding virus exclusions (below) indicate a poor grasp of the problem, and more generally of information security.

    Essentially, the MSXML v4.0 parser reached end-of-life on 2014/04/12.:
    https://support.microsoft.com/en-gb/help/269238/list-of-microsoft-xml-parser-msxml-versions

    MSRC have issued advisories which suggest (if not confirm) this component is vulnerable to multiple arbitrary remote code execution flaws. Those are also listed in the above article.

    Unsupported software is a critical risk, period, and business' clients require them to manage such risks.

    Quality advice on this subject should be the least one can expect when contacting MS representatives. I invite you to try harder.

    Thursday, February 15, 2018 4:29 PM
  • removing the msxml4 and msxml4r.dll from the C:\Windows\SysWOW64\ folder (and system32, if there) does not seem to clear the vulnerability from the nessus reports. is there something else which is required. I am writing this while on hold with Tenable to try to find out what their report is actually looking for.

    thanks, Wayne

    Tuesday, March 20, 2018 4:12 PM
  • Please let us know what tenable states.  Running into same issue for a client with a tenable scan.  We remove the msxml.dll file from System32 and SYSWOW64.  On Reboot seems to get "reinstalled" with nothing in the logs stateing what reinstalled these files.  Client is against running a scheduled task or startup script to remove these files over and over.  Deleting file mid day, no end users complain of issues.

    It's a strange one!


    That's Men

    Tuesday, March 20, 2018 6:03 PM
  • removing the msxml4 and msxml4r.dll from the C:\Windows\SysWOW64\ folder (and system32, if there) does not seem to clear the vulnerability from the nessus reports. is there something else which is required. I am writing this while on hold with Tenable to try to find out what their report is actually looking for.

    thanks, Wayne

    I'll preface this comment with the fact that I have not done extensive research on this topic. However, there seems to be multiple reported attack vectors due to the core XML services being older and outdated. 

    Here is the security bulletin from MSFT in 2007 about what can happen is compromised. 

    https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-042

    Execution of code, memory overflow, etc...

    https://www.cvedetails.com/product/1813/Microsoft-Xml-Core-Services.html?vendor_id=26

    I find it very strange the way this service/software was designed to work. Apparently, I don't have a good enough background or history (nor do I care to get my thesis in XML on a Windows OS). 

    Anyway, 

    @Nerishi is correct. Shrugs and manual deletions feel extremely odd. 

    Tuesday, May 1, 2018 6:18 PM
  • Well said! That was a weak response from MS.
    Tuesday, May 22, 2018 10:01 PM
  • Hi,

    You need to rename the MSXML4.dll file on below path or you just need to remove the extension.

    C:\windows\SYSWOW64

    After rename ,please check with security team to rescan the server.


    Thursday, November 29, 2018 8:10 AM
  • wmic product where "name like 'MSXML 4.0 SP%%'" call uninstall /nointeractive

    :)

    Monday, October 21, 2019 4:25 PM