Re: MSXML Service Packs

• Previous message: Marc Maiffret: "EEYE: RealPlayer Zipped Skin File Buffer Overflow"
• Maybe in reply to: Joe Dance: "MSXML Service Packs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Tue, 26 Oct 2004 13:15:01 -0700
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

The download location for MSXML 3.0 SP5 is available here:
http://www.microsoft.com/downloads/details.aspx?FamilyID=4a3ad088-a893-4
f0b-a932-5e024e74519f&DisplayLang=en

The nuances of MSXML 2.6 SP3 are available from this snippet from the
MBSA newsgroup:

Customers are concerned that MBSA indicates users running MSXML 2.6 are
not on the latest service pack. This is a non-critical warning (yellow
X) indicates that a newer service pack is available, although -
depending on the customer situation - it may not be necessary to install
this latest service pack. MSXML 2.6 SP3 is not available as a separate
download, but is included with SQL Server SP3. Unless you are running
SQL Server, you do not need (and cannot install) MSXML 2.6 SP3 as a
separate download.

Response from the MSXML team: MSXML 2.6 is supposed to be used only with
SQL Server and has a limited support offered - which is why MSXML 2.6
SP3 is not available as a public download. Ideally, customers should
get latest SP (currently SP3) of SQL Server 2000 to get latest version
of MSXML 2.6. Nevertheless this product is also bundled with select
operating systems (WinXP and Windows 2003) and will have support once a
security vulnerability is reported in the product. The last security
released for this product was in Feb 2002 and it is available for public
download and build number is 8.2.8307.0 (this is SP2).

Link to the latest security bulletin released Feb 2002:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;318202

The more recent link pertains to SQL Server 2000 SP3 which is for MSXML
2.6 SP3.
http://support.microsoft.com/default.aspx?scid=kb;en-us;823490

doug neal
Security Business & Technology Unit (SBTU)
Microsoft Baseline Security Analyzer (MBSA)

For all MSSECURE.XML issues, send questions to WUSecure
d u g n @ m i c r o s o f t . c o m

-----Original Message-----
From: Windows NTBugtraq Mailing List
[mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of Joe Dance
Sent: Friday, October 15, 2004 1:36 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: MSXML Service Packs

MBSA today reported that one NT server was running MSXML2.6 SP2, while
SP3
was the most current SP available. On that system and others, it also
reported that MSXML 3 SP4 was installed, while SP5 was the most current
SP
available. Admittedly, I had not run MBSA against these particular
machines
in a while. I keep up with patches, but MSXML and MDAC updates do not
seem
to get distributed by way of Windows Update, nor does it detect needed
updates to MSXML or MDAC - but MBSA checks them both.

The problem is that no trace of SP3 for MSXML 2.6, or of SP5 for MSXML
3,
can be found anywhere on any Microsoft websites, or other sites. There
is
currently NO published information available, on the Microsoft XML
websites
or elsewhere, about MSXML2.6, and the latest version of MSXML 3
available is
SP4.

Resolution:
MSXML 3 SP4 and MSXML4 SP2 are available online. Get current versions
of
MSXML 3 and 4 at msdn.microsoft.com/XMLDownloads

For MSXML2.6, go to knowledgebase article 823490; download and install
the
msxml file. Although the article does not mention MSXML 2.6 SP3, that
is
what you are getting.

If anyone knows of a proper way to remove or uninstall old versions of
MSXML, I think a lot of folks would like to hear it. At least one
Microsoft
rep has publicly stated that old versions of MSXML cannot be removed.
They
are not listed in Add/Remove Programs. It might be as simple as
unregistering the dll files, and deleting them, but I'm not certain of
that,
or of what other effects such action would trigger. As I stated, I'm
open
to suggestion.

Joe Dance
University of South Carolina

---
[This E-mail scanned for viruses by Declude Virus]
--
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is
configured such that just hitting reply is going to result in the
message coming to the list, not to the individual who sent the message.
This was done to help reduce the number of Out of Office messages
posters received. So if you want to send a reply just to the poster,
you'll have to copy their email address out of the message and place it
in your TO: field.
--
--
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
--

• Previous message: Marc Maiffret: "EEYE: RealPlayer Zipped Skin File Buffer Overflow"
• Maybe in reply to: Joe Dance: "MSXML Service Packs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]