Ancient MSXML 4.0 patches suddenly show in Win 7 Updates

Topic

New Reply

Win 7 SP 1 x64 (group B):
After installing the November Security Only Updates, I ran Windows Update as usual. I was very surprised to see these two MSXML patches from 2011 show up (which I haven’t yet installed):

Security Update for Microsoft XML Core Services 4.0 Service Pack 2 for x64-based Systems (KB954430)
Update for Microsoft XML Core Services 4.0 Service Pack 2 for x64-based Systems (KB973688)

I have never had 4.0 on my machine before. It was EOL’d and deprecated years ago. Searching online, I see it was (still is?) a major security hole and I can’t find any clear instructions for removing all it’s traces. Some slueth work pointed to me having installed  WordPerfect Lightning (old, old) so I could help my sister view some WordPerfect files from an old, old backup. That’s how it ended up on my system.

I’ll uninistall the program once the archival work is done, but from what I’ve read, this likely won’t remove all XML 4.0 traces. I understand that SxS is partly the reason.

Anyone have direct experience or procedures for cleaning this out other than restoring an older backup image?

Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

Reply | Quote

Replies

Do you see it in Control Panel -> Add/Remove programs?

Do you have PowerShell? Searching for removal instructions found this script for displaying the uninstall strings of any version.

1 user thanked author for this post.

Steve S.

Reply | Quote

The msxml4.dll file shows a created date of 11-23-2018. The only file showing that I installed on that date was WordPerfect Lightning by Corel. It’s listed on the Programs and Features for potential uninstall. Haven’t done that yet. No other references to MSXML show, so it’s almost certain the Corel program installed it.

Yes, I do have PowerShell but it’s the 2009 version and the script doesn’t seem to work – nothing returned. I’m not up on PowerShell. Is there a newer version that I should install?

Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

Reply | Quote

Is this a 32-bit (x86) program? Did you try both scripts? Although there are newer versions listed here and in other parts of this documentation, you may not need to worry about updating PowerShell just yet.

1 user thanked author for this post.

Steve S.

Reply | Quote

The ‘anonomous’ is me. Forgot to sign in first. It’s OK to wait for moderator to unhide…

Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

Reply | Quote

Yes, I tried both scripts. The x64 script returned nothing. The x32 script returned an error.

My powershell program is located here: C:\WINDOWS\system32\WindowsPowerShell\v1.0

File version is 6.1.7600.16385,  Powershell version is 2.0   So, it may be useful for me to update. Thanks for the link.

Reply | Quote

I know that this is resolved, but there was a hidden character in the x86 script that caused it to fail. Here is the corrected text:

get-childitem hklm:\software\microsoft\windows\currentversion\uninstall | where {$_.GetValue(“DisplayName”) -like “*msxml*” } | foreach { $_.GetValue(“DisplayName”),$_.GetValue(“UninstallString”) }

(This should at least not now cause a PowerShell error.)

1 user thanked author for this post.

Steve S.

Reply | Quote

When old updates suddenly show up it’s often due to software being installed that lays down older vulnerable dlls or files. Windows update then senses it needs to be updated and offers you these files.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Steve S.

Reply | Quote

As mentioned above, I’m certain MSXML 4.0 was added to my system by the old software by Corel. If I install all patches that Windows Update offers me, do you know if that will plug the security hole, allowing me to not worry about cleaning all traces?

Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

Reply | Quote

I just received “important updates” for  MSMXL SP2 4.0 (KB973688) which was installed on 7/21/13 and MSMXL SP2 4.0 (KB954430) installed on 8/21/13.

I am not sure if I have programs that use them.  Should I go ahead and allow the updates to install?

 

 

Reply | Quote

They may or may not install depending on whether their files were replaced for some reason, or MS just changed their metadata.
Will not hurt to let them through – they won’t replace later versions.
To satisfy your curiosity, see if they install (they won’t if they are not needed).

1 user thanked author for this post.

ECWS

Reply | Quote

Thanks – They both installed very quickly and did not require a restart.  I can see them in the update history but they do not appear in the installed updates under Programs.

 

Reply | Quote

If they do not appear in Installed Updates, they did not install.

Reply | Quote

I just looked and I have 13 updates from 2013 to 2020 for XML and 13 Security Updates for XML in the Update History in Windows Update.

However, there are no updates in the Installed Updates in Programs.

Does that mean none of those updates installed even though it said they were successful?

Reply | Quote

Are we saying XML 4.0 should be removed from my Win 7 machine?
If so will someone please explain why – because there are four entries from 2013 sitting in Control Panel -> Programs and features. Two for SP2 and two for SP3 parser.

Reply | Quote

I don’t personally know if it would still be a security hole if patched to SP3. That’s why I asked Susan above #239435 .  But when I originally googled about msxml4 I found many, many sites and discussions about the security risks and how it ought to be removed.

Since it’s EOL and deprecated by MS, and I’ve never needed version 4 until WordPerfect Lightning installed it, I wanted to err on the side of caution and get rid of it. Mission accomplished.

If you rely on older programs that require msxml4, ymmv….

Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

Reply | Quote

Good News! All traces of MSXML4 are removed.

I finished the archival project then using RevoUninstaller Pro in advanced mode, I uninstalled and deleted all traces of Lightning.

Using the search tool ‘Everything’, I searched for ‘msxml4’. Msxml4.dll and msxml4r.dll both still showed up in the system32, sysWOW64 and in the SxS directories. To see if they were ‘registered’ to the system, I ran PowerShell to enumerate the versions I had. Only 3.0 and 6.0 showed.

Next I opened Internet Explorer >tools>manage add-ons>show>run without permissions. Only XML 3 and 6 were listed. Version 4 no longer appeared as it previously had.

Ran ‘Everything’ search again. Viola! Nothing showed for msxml4 at all.

Thankfully, the WordPerfect uninstaller plus RevoUninstaller did the trick.

Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

1 user thanked author for this post.

geekdom

Reply | Quote

Ah, Good and congratulations on being able to archive the data.

Reply | Quote

Steve S wrote:

Yes, I tried both scripts. The x64 script returned nothing. The x32 script returned an error.

My powershell program is located here: C:\WINDOWS\system32\WindowsPowerShell\v1.0

File version is 6.1.7600.16385, Powershell version is 2.0 So, it may be useful for me to update. Thanks for the link.

On my Win 7 laptop, I found this in response to $PSVersionTable:

Name Value
—- —–
CLRVersion 2.0.50727.8762
BuildVersion 6.1.7601.17514
PSVersion 2.0
WSManStackVersion 2.0
PSCompatibleVersions <1.0, 2.0>
SerializationVersion 1.1.0.1
PSRemotingProtocolVersion 2.1

But I don’t know how to determine if this is the latest version for Win 7 or if I even need to update it.
Thanks for any insight.

Reply | Quote

PowerShell 2.0 is the default installed version for Windows 7 SP1, not the latest.  Not sure why, but now after a reboot today, Powershell command “$PSVersionTable” returns the following:

CLRVersion 2.0.50727.8793
BuildVersion 6.1.7601.17514
PSVersion 2.0
WSManStackVersion 2.0
PSCompatibleVersions <1.0, 2.0>
SerializationVersion 1.1.0.1
PSRemotingProtocolVersion 2.1

Since I’m not a big user of PowerShell, I think for now I’ll not take risks in trying to upgrade it. If I install a program that tells me I need a higher version – then maybe. Searching for “should I upgrade powershell version 2?”, I found this: https://blogs.technet.microsoft.com/heyscriptingguy/2014/10/20/should-i-upgrade-to-latest-windows-powershell-version/

A bit old but still cautionary. If you aren’t a PowerShell user, you might just want to sit pat, too.

Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

Reply | Quote

Is there a security risk if MSXML 4.0 SP2 and MSXML 4.0 SP3 are left on my Win 7 machine?

Reply | Quote

Basically the same question I asked Susan The Patch Lady above. I personally don’t know the answer. Maybe someone else can answer this?   You might have to start a new topic specifically addressing this. Sorry I can’t help.

Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

Reply | Quote

Thank you for trying.

Reply | Quote

Well, curiosity made me dig some more. This isn’t definitive but rather a particular take on it.

1. “All versions of MSXML 4.0 (including SP2 and SP3) are no longer supported, and will no longer receive security updates (from April 2014).” This fellow recommends uninstalling them all from either “Add/Remove Programs” or “Programs and Features”. He also indicates programs that use 4.0 are rare – and that was in 2015. In today’s environment, I suspect only very old programs like in my situation (or malware?) would need or install it.
https://altonblom.com/s34e09/

2. He also suggests possibly using some command lines he says will uninstall traces of 4.0 :
https://altonblom.com/s34e10/

3. He suggests as an alternative, installing and configuring Microsoft’s EMET to stop Internet Explorer exposing MSXML when on the internet. (I don’t know if any other browsers use msxml, but you could always add protection for them as well.)
https://altonblom.com/s35e01/

Checking on my EMET installation, Internet Explorer (iexplorer.exe) already had “msxml4*.dll” included in the restricted modules in the ASR. To check, click on the Apps button in the ribbon, double click on iexplorer.exe and look for the “Attack Surface Reduction” section. If you’re using the latest version of EMET, “msxml4*.dll” should already be included by default. If you are going to make any changes here, first export the existing EMET profile in case you might have to restore it. (Note: When I open EMET it sometimes takes a while before iexplorer.exe shows in the list of apps. Not sure why…)

If you DO chose to make any of the above changes, I strongly recommend that you first do a complete system backup using something like Macrium Reflect — just in case anything gets broken. After making changes, test your programs to confirm no ill effects.

Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

Reply | Quote