This is not really a new issue... but I suspect it's unknown to many. I just encountered it today.
In January, 2013, MS13-002 was released to all channels to fix two privately reported remote code execution vulnerabilities in MSXML v4 Service Pack 3.
MS13-002 superseded MS12-043, released to all channels in June, 2012, that fixed a publicly reported remote code execution vulnerability.
These vulnerabilities are exploitable through specially crafted HTML email messages or web pages.
HOWEVER…. Service Pack 3 for MSXML v4 was never released to automated channels. Even today, it is only available as a download from the MDC.
MSXML v4 SP2 expired support in April, 2010, so the above security fixes for MSXML v4 SP3 were not released as updates for MSXML v4 SP2.
MSXML v4 was an upgrade to MSXML v3 (which ships on all WinXP and newer systems) and targeted to ISVs for use in applications, so presumably it only gets installed if an application utilizing MSXML v4 has installed it.
Anybody care to guess the probabilities that the remote code execution vulnerabilities that exist in MSXML v4 SP3 also exist in previous versions?
Now.. here’s the really bad news….
- How many of your systems have MSXML v4 installed? You might not even know which ones!
- Have you upgraded your MSXML v4 to Service Pack 3 on those systems. (I haven’t. Yikes! Heck, I didn’t even know I needed to!)
- Have you installed MS13-002 to those systems? I’ll bet, except for systems that did get manually updated to MSXML4SP3 (or responsible applications that are using the current version), that MS13-002 (or MS12-043) shows as “Not Applicable” to most of your enterprise. Oooops! Some of those systems may not have MSXML v4 installed. Some of them likely have MSXML v4 SP2, or even earlier, installed. If installed, it should be listed in Programs & Features, and you’ll have the expected msxml4.dll and msxml4r.dll in the System32 or SysWow64 folders. Note that MSXML 4.0 is a 32-bit only package.
Investigating my system…. (sigh)…. It looks like LastPass installed MSXML4SP2 – which means, B&G, LastPass is shipping with an insecure version of MSXML4.
UPDATE/CORRECTION: After conversation with LastPass, I have learned that LastPass did NOT install MSXML4 (in any variety or version). Not sure what DID install MSXML4SP2 to my system, but I'm uninstalling it immediately!
It’s a matter of curiosity how many other products may be shipping with this vulnerable (and unsupported) instance of MSXML v4 SP2.
Check your systems. Uninstall MSXML 4 if it's not needed, or upgrade it to SP3, and then install MS13-002.