Skip navigation

This is not really a new issue... but I suspect it's unknown to many. I just encountered it today.

 

In January, 2013, MS13-002 was released to all channels to fix two privately reported remote code execution vulnerabilities in MSXML v4 Service Pack 3.

MS13-002 superseded MS12-043, released to all channels in June, 2012, that fixed a publicly reported remote code execution vulnerability.

These vulnerabilities are exploitable through specially crafted HTML email messages or web pages.

 

HOWEVER…. Service Pack 3 for MSXML v4 was never released to automated channels. Even today, it is only available as a download from the MDC.

 

MSXML v4 SP2 expired support in April, 2010, so the above security fixes for MSXML v4 SP3 were not released as updates for MSXML v4 SP2.

MSXML v4 was an upgrade to MSXML v3 (which ships on all WinXP and newer systems) and targeted to ISVs for use in applications, so presumably it only gets installed if an application utilizing MSXML v4 has installed it.

 

Anybody care to guess the probabilities that the remote code execution vulnerabilities that exist in MSXML v4 SP3 also exist in previous versions?

 

Now.. here’s the really bad news….

  • How many of your systems have MSXML v4 installed? You might not even know which ones!
  • Have you upgraded your MSXML v4 to Service Pack 3 on those systems. (I haven’t. Yikes! Heck, I didn’t even know I needed to!)
  • Have you installed MS13-002 to those systems? I’ll bet, except for systems that did get manually updated to MSXML4SP3 (or responsible applications that are using the current version), that MS13-002 (or MS12-043) shows as “Not Applicable” to most of your enterprise. Oooops! Some of those systems may not have MSXML v4 installed. Some of them likely have MSXML v4 SP2, or even earlier, installed. If installed, it should be listed in Programs & Features, and you’ll have the expected msxml4.dll and msxml4r.dll in the System32 or SysWow64 folders. Note that MSXML 4.0 is a 32-bit only package.

 

Investigating my system…. (sigh)…. It looks like LastPass installed MSXML4SP2 – which means, B&G, LastPass is shipping with an insecure version of MSXML4.

UPDATE/CORRECTION: After conversation with LastPass, I have learned that LastPass did NOT install MSXML4 (in any variety or version). Not sure what DID install MSXML4SP2 to my system, but I'm uninstalling it immediately!

It’s a matter of curiosity how many other products may be shipping with this vulnerable (and unsupported) instance of MSXML v4 SP2.

 

Check your systems. Uninstall MSXML 4 if it's not needed, or upgrade it to SP3, and then install MS13-002.

On Thursday (Oct 3) Microsoft announced the forthcoming content for Patch Tuesday – Oct 8, 2013.

 

Number of Releases: 8

Critical Security Updates: 4 addressing vulnerabilities in Windows XP, Internet Explorer (v6, 7, 8), Outlook 2007/2010, Windows Sharepoint Services v2/v3, Sharepoint Server 2007/2010/2013, and Office Web Apps 2010.

Important Security Updates: 4 addressing vulnerabilities in Office 2003/2007/2010/2013, Sharepoint, and Silverlight v5.

 

You can have Microsoft's security bulletins sent directly to you:

To receive automatic notifications whenever Microsoft Security Bulletins are issued, subscribe to Microsoft Technical Security Notifications.

 

Microsoft also hosts a webcast where they discuss the releases, typically the Wednesday after Patch Tuesday:

Microsoft will host a webcast to address customer questions on the security bulletins on October 9, 2013, at 11:00 AM Pacific Time (US & Canada).

Register now for the October Security Bulletin Webcast. After this date, the webcast is available on-demand.

 

You can also follow the MSRC team at @MSFTSecResponse.

 

Updates are typically released by Microsoft at 10am PDT (5pm UTC).

Configuring WSUS servers to synchronize relative to that time can be helpful in expediting availability of these security updates.