Page 2 of 2 FirstFirst 12
Results 16 to 25 of 25
  1. #16
    Lounger Anak's Avatar
    Join Date
    Feb 2010
    Location
    Central Pa.
    Posts
    38
    Thanks
    1
    Thanked 5 Times in 5 Posts
    To answer the OP's original question; You should already have MSXML6 on your system, I'll explain later.

    I've run into the same Secunia situation, here's an excerpt from my thread on SevenForums, post #4: What's going to happen with Microsoft XML Core Services (MSXML) 4.x ??
    I've been reading a very informative Secunia thread here: Secunia | MSXML 4.0 Thread

    The one respondent (Maurice Joyce, that name sounds familiar) seems very knowledgeable on what is going on with this situation.

    It is a good read especially when you get to the 17th post (his). I wish the Secunia forum had a way to copy the thread link like SevenForums has.

    As I said earlier I'm good to go with the version I already have, I set PSI to ignore the file and I'm going to check and see what exactly needs MSXML4.x If I'm not using it it will be uninstalled.

    I'm also going to check into Joyce's suggestion of trying: https://heimdalsecurity.com/en/products that he mentions in post #28. There is a free version that would do the same as PSI.
    In reading the whole thread you can decide for yourself how Joyce feels about Secunia's help in resolving this situation.

    Now about that version6; Open Explorer and navigate to: C:\Windows\SysWOW64 scroll down beyond the Folders where the alphabetical Files start, then down to MSXML.

    • You should see: two MSXML versions of 3, 4, and 6. i.e. 3 - 3r, 4 - 4r, and 6 - 6r. Right click on version4, then Properties >Details Tab.
    • You should see: 4.30.2117.0 as the File Version, and MSXML 4.0 SP3 as the Product Name.
    • In the properties/details of 4r; You should see: 4.30.2100.0 and MSXML 4.0 SP3 respectively.

    As long as you have those two file versions/product names, your okay. If you don't you can go to post #22 (Joyce's) and follow his instructions to update to MSXML4.0 SP3.

    I have installed the Heimdalsecurity Updater Program (free) and am happy with it. Don't be alarmed when you do not see all of your programs listed like PSI. Heimdal only lists the programs that are vulnerable to attack, I have four; Two for Adobe Flash (IE and FF) and two for Microsoft's Core Programs.

    In order to test Heimdal I stopped the Secunia PSI Agent from startup and disabled it in Services.msc . If Heimdal proves worthy I will be uninstalling Secunia PSI.

    I'm still looking into what program uses version4.
    Last edited by Anak; 2014-07-24 at 11:32.

  2. #17
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,329
    Thanks
    140
    Thanked 117 Times in 100 Posts
    The concerns in this thread seem to overlap with a thread I opened in the Security Forum here in The Lounge. (http://windowssecrets.com/forums/sho...s-in-our-midst)

    I am still interested in a good answer to the question:

    How do I know when nothing on my Windows 7 laptop still needs MSXML 4.x?

    This thread has provided some new insights, but I sure wish there were some definitive way to answer this question.

    By the way, installing MSXML 6.x does not remove the vulnerable parts of MSXML4.2. MSXML 4.2 would still need to be removed (by using the Remove Programs and checking Show Windows Components) or updated to MSXML4.3. That update actually was designed to remove and replace MSXML 4.2 with MSXML 4.3. It was not merely a Service Pack in the usual sense of patching the older version. So, removal of MSXML 4.2 before installing MSXML 4.3 seems reasonable, if it's not somehow embedded in poorly written third-party software.

    With both MSXML 4.2 and 4.3 now out of date, it is amazing to me that Quicken 2014 would still be installing MSXML 4.2 and introducing a security risk onto users' PCs. I believe the report in this thread that this happens, but it still amazes me that users let Quicken get away with this. Although, in all fairness, I bet few users of Quicken or of PSI realize what the issue is and how it develops.

    Secunia reported recently that 42 percent of all Windows PCs scanned with PSI 3 still had MSXML 4.2 installed. And not updated. That's a bit scary.
    http://secunia.com/?action=fetch&fil...82014Q1%29.pdf
    Last edited by bobprimak; 2014-07-24 at 17:43.
    -- Bob Primak --

  3. #18
    New Lounger
    Join Date
    Mar 2010
    Location
    Laval, Québec, Canada
    Posts
    13
    Thanks
    0
    Thanked 2 Times in 1 Post
    Like many on this thread, I had the same problem with Secunia PSI indicating that my MSXML4.dll Core Services was out-of-date.
    Clicking on the "update" button in Secunia PSI, that took me to a Microsoft's download page where supposedly the new version (msxml6.dll)
    could be downloaded. There, one has to choose amongst 4 files, the one of interest for your PC depending on whether you are running a 32-bit
    or a 64-bit system. I went through the chores of trying all of them one after the other and none of them seemed to work since Secunia PSI was
    still showing the msxml4.dll as out-of-date. At that point, the whole thing had become a real drag. So, I decided to take some egregious measures.

    In Secunia PSI, I right-clicked on the outdated file and then left-clicked on "show details" or "show options". By so doing, Secunia PSI
    gave the path to the location of the file. As far as I remember it was C:\Windows\SysWOW64\ msxml4.dll. Once there, I right-clicked it and
    deleted it. After that, Secunia system score was at 100% with a white check mark on the green circle. Problem solved!

    Lastly, I have to add that I didn't get any setback for having deleted the file. No error messages, all my apps are working seamlessly.

  4. #19
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,329
    Thanks
    140
    Thanked 117 Times in 100 Posts
    I think you are correct. Except for a few cases such as Quicken, most folks won't miss MSXML 4.x. That PSI Show Path feature is often overlooked by users, and yet it is a very useful guidepost to where the insecure items may be found.

    Now all we need is a guide to all the other possibly obsolete versions of things like C++, Visual Basic and other runtimes which may be lurking in our PCs.
    -- Bob Primak --

  5. #20
    Lounger Anak's Avatar
    Join Date
    Feb 2010
    Location
    Central Pa.
    Posts
    38
    Thanks
    1
    Thanked 5 Times in 5 Posts
    Quote Originally Posted by bobprimak View Post
    I am still interested in a good answer to the question:

    How do I know when nothing on my Windows 7 laptop still needs MSXML 4.x?
    Bob,

    I haven't come across a program or script that could search through a machine's Folders and Files to check for any relationships between msxml4.x, msxml4r.x and a corresponding program and just list them for you. Any Programmers out there?

    It's more time consuming but I've been using Process Explorer.

    Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.

    Source: Windows Sysinternals | Process Explorer v16.02
    • Unzip the archive.
    • When the Window opens after extraction click on procexp.exe to run process explorer, no install is needed.
    • You will see a security warning box asking you if you want to run procexp.exe, click on run.
    • When the EULA window opens read and/or click on Agree. You will only have to agree one time, any subsequent running's won't ask.
    • Process Explorer will then start.

    Open all of the Programs that you normally use including your All in One Printer, all the Browsers you have, anything and everything.

    Then on the Process Explorer File Menu, go to Find and click on it, then click on Find Handle or DLL, Type in msxml4.dll, wait for results, then add an r after the 4 and wait for the results.

    So far I haven't had anything show up in what I normally use, but I still have quite a few programs to check. It'd be a cryin' shame if after checking all my programs xml4 was needed by a program that I had uninstalled last year.
    Last edited by Anak; 2014-07-24 at 22:20.

  6. #21
    New Lounger
    Join Date
    Oct 2004
    Location
    Orange, Connecticut, USA
    Posts
    14
    Thanks
    0
    Thanked 0 Times in 0 Posts
    In PSI right click on the "Installed Version" and select "Show Details" to see which installation it thinks should be upgraded.

    The files folder info/location may give you info as to the program that is using it and you can check via email with the developer if OK to upgrade.

    If not OK choose "Ignore updates"

  7. #22
    3 Star Lounger
    Join Date
    Feb 2013
    Location
    Mojave Desert CA
    Posts
    284
    Thanks
    40
    Thanked 8 Times in 8 Posts
    As with many here, PSI gave me the same update notice and after trying to update to msxml6.dll and getting nowhere, I just ignored it. It is now listed with the other obsolete software I have ignored. I'm not sure what program uses the msxml4.dll because I don't have Quicken as some have mentioned.

  8. #23
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,329
    Thanks
    140
    Thanked 117 Times in 100 Posts
    The trouble with MSXML is that some of the same DLLs are still retained after updating. I for one do not want to go through all those DLLs and try to find out which one is obsolete. Just do what is possible and hit Ignore for the remainder.
    -- Bob Primak --

  9. #24
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    2,916
    Thanks
    91
    Thanked 356 Times in 320 Posts
    Quote Originally Posted by bobprimak View Post
    By the way, installing MSXML 6.x does not remove the vulnerable parts of MSXML4.2.
    MSXML 6.x is included with Windows (XPSP3, Vista, 7 and 8): MSXML Versions


    Quote Originally Posted by bobprimak View Post
    MSXML 4.2 would still need to be removed (by using the Remove Programs and checking Show Windows Components)
    Where's the Show Windows Components check box?

    Would MSXML 4.2 be listed there anyway?

    (It was not a Windows component.)


    Bruce

  10. #25
    Super Moderator RetiredGeek's Avatar
    Join Date
    Mar 2004
    Location
    Manning, South Carolina
    Posts
    6,498
    Thanks
    212
    Thanked 852 Times in 784 Posts
    Bruce,

    It is here now:
    winfeatures.JPG

    And you are right it does not show up in either the Programs List or the Features List at least not on my Win 8.1 Update 1 system. HTH
    May the Forces of good computing be with you!

    RG

    VBA Rules!

    My Systems: Desktop Specs
    Laptop Specs


Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •