Upgrading to MSXML6

Topic

New Reply

currently using Windows 7 Ultimate 64bit. Secunia PSI indicates that I should upgrade MSXL4 to MSXL6, Visited Microsoft for further information and it appears that I should. Can only find a developer page which is inappropriate for me. Seems to be a task I should be very careful doing. Have downloaded the installer package for MSXL6 -64bit but before I click would appreciate any advice.

Reply | Quote

Replies

Tuppence,

PSI also informed me of this upgrade on my Win-7 HP Laptop. I performed the installation and PSI still said I needed to update even after a Re-boot and re-scan!
I finally just right clicked it and told it not to bother me any more. HTH :cheers:

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

Here’s the whole story.

msxml4 is a package that software vendors have used. The other choices were msxml3 and msxml6. (Go Microsoft!). 3 and 6 are distributed with windows and maintained. 4 was distributed as part of the software package that used it.

Microsoft has shipped some updates to 4 over the years. If you have a new enough version, it got updated to the latest version – really old stuff has to be updated manually. For example, Quicken 2014 will install msxml4 from 2003 if there isn’t a version on your machine!

Recently, Microsoft announced end of all support for msxml4. No more updates. Time will tell if they hold to this if a serious security exposure is found.

There is nothing an end user can do about this – its the software vendors who need to move off of 4 onto 6. Until then, ignoring the Secunia warning and hoping for the best is all you can do.

Reply | Quote

Here’s the whole story.

For example, Quicken 2014 will install msxml4 from 2003 if there isn’t a version on your machine!

Recently, Microsoft announced end of all support for msxml4. No more updates. Time will tell if they hold to this if a serious security exposure is found.

There is nothing an end user can do about this – its the software vendors who need to move off of 4 onto 6. Until then, ignoring the Secunia warning and hoping for the best is all you can do.

I have just been through this with Quicken. You CAN update the 2003 version of msxml4 to SP3 (a 2009 or 2010 file, I believe and the last update to version 4) via the Microsoft website and Quicken will continue to work fine (at least my 2012 Quicken Deluxe does). All it did so far as I could see was to update the dll (in the sysWOW64 folder of my 64-bit machine) and place a folder in Program Files which contained only an rtf copy of the licence which I promptly deleted.

Reply | Quote

To answer the OP’s original question; You should already have MSXML6 on your system, I’ll explain later.

I’ve run into the same Secunia situation, here’s an excerpt from my thread on SevenForums, post #4: What’s going to happen with Microsoft XML Core Services (MSXML) 4.x ??

I’ve been reading a very informative Secunia thread here: Secunia | MSXML 4.0 Thread

The one respondent (Maurice Joyce, that name sounds familiar) seems very knowledgeable on what is going on with this situation.

It is a good read especially when you get to the 17th post (his). I wish the Secunia forum had a way to copy the thread link like SevenForums has.

As I said earlier I’m good to go with the version I already have, I set PSI to ignore the file and I’m going to check and see what exactly needs MSXML4.x If I’m not using it it will be uninstalled.

I’m also going to check into Joyce’s suggestion of trying: https://heimdalsecurity.com/en/products that he mentions in post #28. There is a free version that would do the same as PSI.

In reading the whole thread you can decide for yourself how Joyce feels about Secunia’s help in resolving this situation.

Now about that version6; Open Explorer and navigate to: C:WindowsSysWOW64 scroll down beyond the Folders where the alphabetical Files start, then down to MSXML.

[*]You should see: two MSXML versions of 3, 4, and 6. i.e. 3 – 3r, 4 – 4r, and 6 – 6r. Right click on version4, then Properties >Details Tab.

[*]You should see: 4.30.2117.0 as the File Version, and MSXML 4.0 SP3 as the Product Name.

[*]In the properties/details of 4r; You should see: 4.30.2100.0 and MSXML 4.0 SP3 respectively.

As long as you have those two file versions/product names, your okay. If you don’t you can go to post #22 (Joyce’s) and follow his instructions to update to MSXML4.0 SP3.

I have installed the Heimdalsecurity Updater Program (free) and am happy with it. Don’t be alarmed when you do not see all of your programs listed like PSI. Heimdal only lists the programs that are vulnerable to attack, I have four; Two for Adobe Flash (IE and FF) and two for Microsoft’s Core Programs.

In order to test Heimdal I stopped the Secunia PSI Agent from startup and disabled it in Services.msc . If Heimdal proves worthy I will be uninstalling Secunia PSI.

I’m still looking into what program uses version4.

Reply | Quote

Like many on this thread, I had the same problem with Secunia PSI indicating that my MSXML4.dll Core Services was out-of-date.
Clicking on the “update” button in Secunia PSI, that took me to a Microsoft’s download page where supposedly the new version (msxml6.dll)
could be downloaded. There, one has to choose amongst 4 files, the one of interest for your PC depending on whether you are running a 32-bit
or a 64-bit system. I went through the chores of trying all of them one after the other and none of them seemed to work since Secunia PSI was
still showing the msxml4.dll as out-of-date. At that point, the whole thing had become a real drag. So, I decided to take some egregious measures.

In Secunia PSI, I right-clicked on the outdated file and then left-clicked on “show details” or “show options”. By so doing, Secunia PSI
gave the path to the location of the file. As far as I remember it was C:WindowsSysWOW64 msxml4.dll. Once there, I right-clicked it and
deleted it. After that, Secunia system score was at 100% with a white check mark on the green circle. Problem solved!

Lastly, I have to add that I didn’t get any setback for having deleted the file. No error messages, all my apps are working seamlessly.

Reply | Quote

I think you are correct. Except for a few cases such as Quicken, most folks won’t miss MSXML 4.x. That PSI Show Path feature is often overlooked by users, and yet it is a very useful guidepost to where the insecure items may be found.

Now all we need is a guide to all the other possibly obsolete versions of things like C++, Visual Basic and other runtimes which may be lurking in our PCs.

-- rc primak

Reply | Quote

I also have Secunia advising an update of Microsoft Core XML Services (MSXML) 6.0 but when I click on it in Secunia it takes me to a download page where there are a choice of several files to download, probably the same place as tuppence is describing. How do I know which file t5o choose, if any? Should I ignore it? How did you decide which file to download RetiredGeek? (I have W7 Home Premium 64 bit).

Reply | Quote

In PSI right click on the “Installed Version” and select “Show Details” to see which installation it thinks should be upgraded.

The files folder info/location may give you info as to the program that is using it and you can check via email with the developer if OK to upgrade.

If not OK choose “Ignore updates”

Reply | Quote

Sylviesinc,

Windows 32 Bit – msxml6.msi
Windows 64 Bit – msxml6_x64.msi

HTH :cheers:

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

Many thanks kind sir, now done.

Reply | Quote

thanks all for your replies. downloaded and installed MSXML6-x64.msi. it installed MSXML6 parser and SDK. I shall “quite while I am ahead. The SDK I definately don’t need but the Parser could come in useful.

Reply | Quote

I have also been told by PSI in the last couple of days that I should upgrade to MSXML 6.x – but I am currently running 4.30.2117.0 on a 2009 32-bit Vista machine. Is it safe to take Secunia’s advice on this, or should I leave well alone?

Reply | Quote

I just have to say that even though I have downloaded it, Secunia is still telling me that it needs to be updated!!!

Reply | Quote

Try running Windows Update. It should be definitive for general use MSXML.

Secunia could be reporting on an MSXML version that is included in a product which requires that specific MSXML version.

Joe

--Joe

Reply | Quote

I think I’ll just ignore it as I’ll probably muck something up. If and when Windows Update wants me to install it, I will!

Reply | Quote

I am not an expert that’s a fact I muddle along as it were.
sylviesinc: even it you download and install MSXML6 Secunia will still tell you it needs updating. the trigger there is an out of date dll. solution is to go to it right click and click ignore.
JoeP517: I have had MSXMl updates from windows update in the past but for some reason only known to Microsoft they appear to have stopped.
JDO: create a restore point and go for it. Be careful you have the appropriate update though. the update MSXML6 puts the update within MSXML4, they are compatible.

that appears to be it

Reply | Quote

@tuppence,

Windows Update will only show updates to products installed separately. If the outdated version of MSXML6 was included as part of another product and not installed separately then Windows Update will not show updates for it.

Joe

--Joe

Reply | Quote

Thanks tuppence, yes I’m aware that there’s an outdated file there and I could probably just delete it however, there’s an awful lot of other stuff in the folder Secunia is showing me and I’m not confident enough to know what I’m doing, so I’ll just leave it.

Reply | Quote

The concerns in this thread seem to overlap with a thread I opened in the Security Forum here in The Lounge. (http://windowssecrets.com/forums/showthread//162943-Zombies-in-our-midst)

I am still interested in a good answer to the question:

How do I know when nothing on my Windows 7 laptop still needs MSXML 4.x?

This thread has provided some new insights, but I sure wish there were some definitive way to answer this question.

By the way, installing MSXML 6.x does not remove the vulnerable parts of MSXML4.2. MSXML 4.2 would still need to be removed (by using the Remove Programs and checking Show Windows Components) or updated to MSXML4.3. That update actually was designed to remove and replace MSXML 4.2 with MSXML 4.3. It was not merely a Service Pack in the usual sense of patching the older version. So, removal of MSXML 4.2 before installing MSXML 4.3 seems reasonable, if it’s not somehow embedded in poorly written third-party software.

With both MSXML 4.2 and 4.3 now out of date, it is amazing to me that Quicken 2014 would still be installing MSXML 4.2 and introducing a security risk onto users’ PCs. I believe the report in this thread that this happens, but it still amazes me that users let Quicken get away with this. Although, in all fairness, I bet few users of Quicken or of PSI realize what the issue is and how it develops.

Secunia reported recently that 42 percent of all Windows PCs scanned with PSI 3 still had MSXML 4.2 installed. And not updated. That’s a bit scary.
http://secunia.com/?action=fetch&filename=PSI-Country-Report-%28DK%29-%282014Q1%29.pdf

-- rc primak

Reply | Quote

I am still interested in a good answer to the question:

How do I know when nothing on my Windows 7 laptop still needs MSXML 4.x?

Bob,

I haven’t come across a program or script that could search through a machine’s Folders and Files to check for any relationships between msxml4.x, msxml4r.x and a corresponding program and just list them for you. Any Programmers out there?

It’s more time consuming but I’ve been using Process Explorer.

Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.

Source: Windows Sysinternals | Process Explorer v16.02

[*]Unzip the archive.
[*]When the Window opens after extraction click on procexp.exe to run process explorer, no install is needed.
[*]You will see a security warning box asking you if you want to run procexp.exe, click on run.
[*]When the EULA window opens read and/or click on Agree. You will only have to agree one time, any subsequent running’s won’t ask.
[*]Process Explorer will then start.
[*]

Open all of the Programs that you normally use including your All in One Printer, all the Browsers you have, anything and everything. :p

Then on the Process Explorer File Menu, go to Find and click on it, then click on Find Handle or DLL, Type in msxml4.dll, wait for results, then add an r after the 4 and wait for the results.

So far I haven’t had anything show up in what I normally use, but I still have quite a few programs to check. It’d be a cryin’ shame if after checking all my programs xml4 was needed by a program that I had uninstalled last year.

Reply | Quote

By the way, installing MSXML 6.x does not remove the vulnerable parts of MSXML4.2.

MSXML 6.x is included with Windows (XPSP3, Vista, 7 and 8): MSXML Versions

MSXML 4.2 would still need to be removed (by using the Remove Programs and checking Show Windows Components)

Where’s the Show Windows Components check box?

Would MSXML 4.2 be listed there anyway?

(It was not a Windows component.)

Bruce

Reply | Quote

As with many here, PSI gave me the same update notice and after trying to update to msxml6.dll and getting nowhere, I just ignored it. It is now listed with the other obsolete software I have ignored. I’m not sure what program uses the msxml4.dll because I don’t have Quicken as some have mentioned.

Don't take yourself so seriously, no one else does
All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

Reply | Quote

The trouble with MSXML is that some of the same DLLs are still retained after updating. I for one do not want to go through all those DLLs and try to find out which one is obsolete. Just do what is possible and hit Ignore for the remainder.

-- rc primak

Reply | Quote

Bruce,

It is here now:
37886-winfeatures

And you are right it does not show up in either the Programs List or the Features List at least not on my Win 8.1 Update 1 system. HTH :cheers:

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote