none
Uninstalling Old MSXML Parser Versions RRS feed

  • السؤال

  • My network team recently sent me a Nessus Scan for my Windows 2012 servers. On it is listed a 'critical' issue of 'Microsoft XML Parser (MSXML) and XML Core Services Unsupported'.  I checked the server and lo and behold there are some MSXML#.dll files in there for version 3 (in addition to version 6).

    To clean up the report I'd like to remove the old version, but I can not find a method to do this.  It doesn't show up in windows features, uninstall programs, etc.  What is the proper way to remove the old version?  Simply delete the DLL?  Or something more involved?

    These servers are Windows 2012 R2 Datacenter edition.  They were setup only a couple of months ago and while I don't recall installing old XML Parsers, it's possible it was auto installed or a coworker did it.

    Thanks

    H


    19/شوال/1436 06:47 م

جميع الردود

  • Does Nessus say why it considers it a 'critical issue'?  I am generally hesitant to take the word of many of these scanning programs because they have to find something in order to be of 'value'.  I just installed a 2012 R2 system.  It has both version 3 and version 6 files.  If they were a 'critical issue', I am sure Microsoft would have done something about it. 

    My first order of business would be to determine why Nessus thinks it is a critical issue.  Then if you still want to remove them, backup the system, and delete the files you don't want.


    . : | : . : | : . tim

    • تم الاقتراح كإجابة بواسطة Alex LvModerator 27/شوال/1436 07:23 ص
    19/شوال/1436 10:40 م
  • The 'critical' issue that our report claims is that it's 'out of support'.  If deleting the DLLs is all that's necessary, that'd be a great and simple fix.

    Thanks

    21/شوال/1436 02:56 م
  • Hi H,

    Since the result is evaluated by third party soft please get their help about the root reason, same time please keep the following recommended settings when we use the security soft on Windows Server.

    Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows

    https://support.microsoft.com/en-us/kb/822158

    I’m glad to be of help to you!


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com


    • تم التحرير بواسطة Alex LvModerator 25/ذو القعدة/1436 10:38 ص
    27/شوال/1436 07:23 ص
    المشرف
  • We had a recent Nessus scan and had this on multiple servers, ranging from Server 2008 R2, Server 2012 and Server 2012 R2.

    The results were:

    The remote Windows host contains unsupported XML parsers.

    http://support.microsoft.com/kb/269238
    http://msdn.microsoft.com/en-us/library/jj152146(v=vs.85).aspx

    Path: C:\Windows\SysWOW64\msxml4.dll
    File version: 4.20.9818.0
    XML Core version: 4.0 Post SP3 (KB2758694)
    EOL date: 2014/04/12
    EOL announcement: http://support.microsoft.com/gp/msxmlannounce
    Supported versions : 5.10.2930.0 / 6.0 or greater.

    On the 2008 R2 servers, there were at least two items listed in Programs and Features:
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)

    Uninstall works fine, but the DLL still remains in C:\Windows\SysWOW64.

    The Server 2012 and Server 2012 R2 do not show anything to uninstall in Programs and Features.

    If MSXML 4 is no longer support, how do you remove it?

    Thank you.

    Aaron

    04/ذو القعدة/1436 02:19 ص
  • Did you ever get an answer? or just remove the DLL?

    I have the same issue.

    Thanks..

    27/شوال/1437 03:19 م
  • Hi!

    Were you able to find a solution or is it just to remove the .dll? I ran into the same problem with a recent scan.

    Thanks!

    26/ذو الحجة/1437 04:26 م
  • Did anyone find a solution on removing the xml parser or did you just remove the .dll?

    02/جمادى الثانية/1438 02:52 م
  • I too am interested in this isssue - has anyone just deleted the files?
    14/شعبان/1438 01:07 م
  • We are dealing with this too, and looking at the impact of just deleting the file. I'll report back findings!
    28/شعبان/1438 03:17 م
  • We have been renaming the DLL.  Removing would also probably work but we were just being extra careful.  We have a script that renames it to msxml4.OLD and run it against the network every once in a while.  That seems to satisfy the scanner and if a malicious program does try to call msxml4.dll it will not be able to.
    03/شوال/1438 07:40 م
  • We ended up just deleting it. No one hollered.
    19/شوال/1438 07:44 م
  • What a lazy response!

    I'm horrified to see a suggestion that involves manually deleting an installed and registered component, and the recommendations regarding virus exclusions (below) indicate a poor grasp of the problem, and more generally of information security.

    Essentially, the MSXML v4.0 parser reached end-of-life on 2014/04/12.:
    https://support.microsoft.com/en-gb/help/269238/list-of-microsoft-xml-parser-msxml-versions

    MSRC have issued advisories which suggest (if not confirm) this component is vulnerable to multiple arbitrary remote code execution flaws. Those are also listed in the above article.

    Unsupported software is a critical risk, period, and business' clients require them to manage such risks.

    Quality advice on this subject should be the least one can expect when contacting MS representatives. I invite you to try harder.

    29/جمادى الأولى/1439 04:29 م
  • removing the msxml4 and msxml4r.dll from the C:\Windows\SysWOW64\ folder (and system32, if there) does not seem to clear the vulnerability from the nessus reports. is there something else which is required. I am writing this while on hold with Tenable to try to find out what their report is actually looking for.

    thanks, Wayne

    03/رجب/1439 04:12 م
  • Please let us know what tenable states.  Running into same issue for a client with a tenable scan.  We remove the msxml.dll file from System32 and SYSWOW64.  On Reboot seems to get "reinstalled" with nothing in the logs stateing what reinstalled these files.  Client is against running a scheduled task or startup script to remove these files over and over.  Deleting file mid day, no end users complain of issues.

    It's a strange one!


    That's Men

    03/رجب/1439 06:03 م
  • removing the msxml4 and msxml4r.dll from the C:\Windows\SysWOW64\ folder (and system32, if there) does not seem to clear the vulnerability from the nessus reports. is there something else which is required. I am writing this while on hold with Tenable to try to find out what their report is actually looking for.

    thanks, Wayne

    I'll preface this comment with the fact that I have not done extensive research on this topic. However, there seems to be multiple reported attack vectors due to the core XML services being older and outdated. 

    Here is the security bulletin from MSFT in 2007 about what can happen is compromised. 

    https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-042

    Execution of code, memory overflow, etc...

    https://www.cvedetails.com/product/1813/Microsoft-Xml-Core-Services.html?vendor_id=26

    I find it very strange the way this service/software was designed to work. Apparently, I don't have a good enough background or history (nor do I care to get my thesis in XML on a Windows OS). 

    Anyway, 

    @Nerishi is correct. Shrugs and manual deletions feel extremely odd. 

    15/شعبان/1439 06:18 م
  • Well said! That was a weak response from MS.
    07/رمضان/1439 10:01 م
  • Hi,

    You need to rename the MSXML4.dll file on below path or you just need to remove the extension.

    C:\windows\SYSWOW64

    After rename ,please check with security team to rescan the server.


    21/ربيع الأول/1440 08:10 ص
  • wmic product where "name like 'MSXML 4.0 SP%%'" call uninstall /nointeractive

    :)

    22/صفر/1441 04:25 م