So, I was just reviewing my workstations for vulns, and came across MSXML 4.0 still being on some of my machines.
These are all Windows 7 machines, they had MSXML 4.0 installed on them and I issued the following commands to remove it:
Uninstall MSXML 4.0 SP2 (KB954430) 4.20.9870.0:
%windir%\System32\msiexec.exe /x {86493ADD-824D-4B8E-BD72-8C5DCDC52A71} /qn /norestart
Uninstall MSXML 4.0 SP2 (KB973688) 4.20.9876.0:
%windir%\System32\msiexec.exe /x {F662A8E6-F4DC-41A2-901E-8C11F044BDEC} /qn /norestart
(These were the only two versions I found on my network at the time of removal)
Now, in WSUS, Iâm still seeing these as being installed, and when I look at the machines themselves, I found the following files on the computers:
Path
Version
Product
C:\Windows\winsxs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9876.0_none_b7e610287b2b4ea5\msxml4.dll
4.20.9818.0
Microsoft(R) MSXML 4.0 SP 2
C:\Windows\winsxs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9818.0_none_b7e811947b297f6d\msxml4.dll
4.20.9876.0
Microsoft(R) MSXML 4.0 SP 2
C:\Windows\winsxs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.0.0_none_3658456fda6654f6\msxml4r.dll
4.10.9404.0
Microsoft(R) MSXML 4.0 SP1
C:\Windows\winsxs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_365945b9da656e4d\msxml4r.dll
4.10.9404.0
Microsoft(R) MSXML 4.0 SP1
C:\Windows\SysWOW64\msxml4.dll
4.20.9876.0
Microsoft(R) MSXML 4.0 SP 2
C:\Windows\SysWOW64\msxml4r.dll
4.10.9404.0
Microsoft(R) MSXML 4.0 SP1
The registry is also littered with references to syswow64\msxml4.dll and syswow64\msxml4r.dll in the following locations (â\âŠâ indicates several subkeys contain references):
HKLM\SOFTWARE\Classes\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\4.0
HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\...
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\...
HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\...
HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\4.0
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SharedDLLs
Iâve tried installing and removing the updates, but the files and references are still there.
Iâm not entirely certain how to use the advice at https://altonblom.com/s34e10/, since my version numbers arenât the same as the posterâs, and looking at http://support.microsoft.com/kb/269238 doesnât help much either.
Iâm not sure how to proceed, I still havenât cracked the WinSXS nut.
From: Eric Henson [mailto:***@pfsweb.com]
Sent: Wednesday, September 3, 2014 2:02 PM
To: Patch Management Mailing List
Subject: RE: [patchmanagement] Re: [patchmanagement] MS XML core services V 4.x reporting as end of life by Secunia. [WARNING: DKIM validation failed]
Thereâs no patch shown for MSXML 4.0 because it is EOL. You have to use MSXML 6.0, which isnât an upgrade of 4.0.
--
ERIC HENSON
Systems Solutions Architect
PFSweb | www.pfsweb.com<http://www.pfsweb.com/>
p: 972.881.2900 x3104
m: 972.948.3424
From: Michael Cramer [mailto:***@outlook.com]
Sent: Wednesday, September 03, 2014 12:13 PM
To: Patch Management Mailing List
Subject: [patchmanagement] Re: [patchmanagement] MS XML core services V 4.x reporting as end of life by Secunia. [WARNING: DKIM validation failed]
Manual updates also said the patch wasnât required.
Sent from Surface
From: Schuyler Dorsey<mailto:***@kellerschroeder.com>
Sent: âWednesdayâ, âSeptemberâ â3â, â2014 â10â:â08
To: Patch Management Mailing List<mailto:***@listserv.patchmanagement.org>
As a colleague says, WU and WSUS lie. ⺠I use mostly Qualys for vuln mgmt. and have found a dozen instances which it flagged a missing patch. WU and WSUS both reported the box up to date. Went and manually found the update online and downloaded it. Verified the box didnât have it installed then installed it. Re-scanned and the vuln was gone.
I have seen this with several Windows and SQL updates.
Thanks!
Schuyler Dorsey, CISSP
Systems Engineer
Phone: (812) 492-7361
Fax: (812) 474-6835
www.kellerschroeder.com<http://www.kellerschroeder.com>
[cid:***@01CFE15A.ECB513B0]
"To err is human.. but to really foul things up requires root."
From: Michael Cramer [mailto:***@outlook.com]
Sent: Wednesday, September 03, 2014 7:47 AM
To: Patch Management Mailing List
Subject: Re: [patchmanagement] MS XML core services V 4.x reporting as end of life by Secunia. [WARNING: DKIM validation failed]
I've always found Nessus to be a bit odd in what it flags. I've got some SQL instances where WU and MU don't flag for updates but Nessus swears is vulnerable.
Sent from my iPhone
On Sep 3, 2014, at 00:54, Justin Leney <***@discovery.com<mailto:***@discovery.com>> wrote:
That is true. In my organization, I deployed MSXML4 SP3 and MS13-002 (the post-SP3 hotfix) to the majority of Windows 2003 and Windows 2008+R2 servers in our environment, which bought MSXML4.dll up to the highest version possible, which satisfied Nessus.
This past month, Nessus seemed to have change its plugin, as it considered any instance of the MSXML4.dll as being a vulnerability.
This past weekend I deployed a little batch file, against pretty much all of my servers, that simply unregistered the .DLL and deleted the .DLL from âŠ\Syswow64 and âŠ\System32.
Once the .DLL has been deleted, Nessus (or actually, Tenable in my case) no longer seeâs the MSXML4 EOL vulnerability.
Luckily, weâve had only one webapp whoâs code relied specifically on MSXML4, so we re-installed MSXML4 SP3 to that server.
Anyways, what Lars mentioned earlier to too true â neither WU/MU nor Lumension shows that MSXML4.dll is considered a vulnerability, just Nessus.
From: Benedetti White,Arthur D (BPA) - JNI-2 [mailto:***@bpa.gov]
Sent: Tuesday, September 2, 2014 16:06
To: Patch Management Mailing List
Subject: RE: [patchmanagement] MS XML core services V 4.x reporting as end of life by Secunia. [WARNING: DKIM validation failed]
I see that now, they must have updated their plugin after the v4 end of life. I will check with our backup team to see if Veritas supports a higher version as that product used to be the one that put msxml 4 on all of our systems.
-Arthur
From: Joe Norton [mailto:***@msufcu.org]
Sent: Tuesday, September 02, 2014 12:43 PM
To: Patch Management Mailing List
Subject: RE: [patchmanagement] MS XML core services V 4.x reporting as end of life by Secunia. [WARNING: DKIM validation failed]
Here is what Nessus is saying about MS XML 4.0 SP3 currently:
Path : C:\Windows\SysWOW64\msxml4.dll
File Version : 4.20.9876.0
XML Core version : 4.0 Post SP3 (KB2758694)
EoL date : 2014/04/12
EoL announcement : http://support.microsoft.com/gp/msxmlannounce
Supported versions : 5.10.2930.0 / 6.0 or greater.
From: Lars Nelson [mailto:***@gmail.com]
Sent: Tuesday, September 02, 2014 3:06 PM
To: Patch Management Mailing List
Subject: Re: [patchmanagement] MS XML core services V 4.x reporting as end of life by Secunia. [WARNING: DKIM validation failed]
As I understand this, all of MSXML 4 is end of life and so Secunia will be reporting it as such.
- Lars
On Tue, Sep 2, 2014 at 11:51 AM, Benedetti White,Arthur D (BPA) - JNI-2 <***@bpa.gov<mailto:***@bpa.gov>> wrote:
Does Secunia say all of MSXML 4 is going end of life or just every version below v4 SP3 we just finished getting SP3 to most of our systems because Nessus was showing all the older versions as vulnerable.
-Arthur.
From: Lars Nelson [mailto:***@gmail.com<mailto:***@gmail.com>]
Sent: Tuesday, September 02, 2014 11:28 AM
To: Patch Management Mailing List
Subject: [patchmanagement] MS XML core services V 4.x reporting as end of life by Secunia.
MS XML core services V 4.x recently started reporting as end of life by Secunia.
None of the automated means of Windows patching (WSUS, MU) is taking care of this end of life state.
In review, there are lots of posts on this in the Secunia forums and elsewhere.
The problem seems to be associated with Win7 computers because as I understand, XML 4 is an XP based app and so because MS ended XP end of life it appears that they ended the life of XML 4 also.
Problem now is, if there are no updates to XML 4, that would seem to make this vulnerable. But, as I also understand, Vista depends on XML 4 for IE.
Also, what about the Win7 computers out there that have XML4 installed? Because XML4 is not native to Win7 that would mean it was installed by an app.
Does that app need to have XML4 installed only or, can one upgrade (which appears to be a manual upgrade to the latest XML version) to the most recent XML version and will that be backward compatible.
In the end I don't want to leave EOL XML code on Win7 boxes as that seems insecure. But I also don't want to break a critical app that needs XML4.
Gosh.
- Lars
________________________________
This electronic transmission and any information that it contains is the property of MSU Federal Credit Union and is intended for the use of the intended recipient. If you are not the intended recipient, any disclosure, copying or other use of this information is strictly prohibited. If you acquired this transmission in error or feel that any of the information contained within it is offensive or inappropriate, please contact ***@msufcu.org<mailto:***@msufcu.org>.
CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
------------------------
This email was scanned by BitDefender.
------------------------
This email was scanned by BitDefender.
---
PatchManagement.org is hosted by Shavlik
The content on the email list is intended for assisting administrators. If you would like to use any of this content in a blog or media publication, please contact the owners of the list for approval.
To unsubscribe send a blank email to leave-***@patchmanagement.org
If you are unable to unsubscribe via this email address, please email
owner-***@patchmanagement.org