Re: MSXML Service Packs

From: Doug Neal (dugn_at_WINDOWS.MICROSOFT.COM)
Date: 10/26/04

  • Next message: Liu Die Yu: "Re: Windows file I/O not internationalized"
    Date:         Tue, 26 Oct 2004 13:15:01 -0700
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    The download location for MSXML 3.0 SP5 is available here:
    http://www.microsoft.com/downloads/details.aspx?FamilyID=4a3ad088-a893-4
    f0b-a932-5e024e74519f&DisplayLang=en

    The nuances of MSXML 2.6 SP3 are available from this snippet from the
    MBSA newsgroup:

    Customers are concerned that MBSA indicates users running MSXML 2.6 are
    not on the latest service pack. This is a non-critical warning (yellow
    X) indicates that a newer service pack is available, although -
    depending on the customer situation - it may not be necessary to install
    this latest service pack. MSXML 2.6 SP3 is not available as a separate
    download, but is included with SQL Server SP3. Unless you are running
    SQL Server, you do not need (and cannot install) MSXML 2.6 SP3 as a
    separate download.

    Response from the MSXML team: MSXML 2.6 is supposed to be used only with
    SQL Server and has a limited support offered - which is why MSXML 2.6
    SP3 is not available as a public download. Ideally, customers should
    get latest SP (currently SP3) of SQL Server 2000 to get latest version
    of MSXML 2.6. Nevertheless this product is also bundled with select
    operating systems (WinXP and Windows 2003) and will have support once a
    security vulnerability is reported in the product. The last security
    released for this product was in Feb 2002 and it is available for public
    download and build number is 8.2.8307.0 (this is SP2).

    Link to the latest security bulletin released Feb 2002:
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;318202

    The more recent link pertains to SQL Server 2000 SP3 which is for MSXML
    2.6 SP3.
    http://support.microsoft.com/default.aspx?scid=kb;en-us;823490

    doug neal
    Security Business & Technology Unit (SBTU)
    Microsoft Baseline Security Analyzer (MBSA)

    For all MSSECURE.XML issues, send questions to WUSecure
    d u g n @ m i c r o s o f t . c o m

    -----Original Message-----
    From: Windows NTBugtraq Mailing List
    [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of Joe Dance
    Sent: Friday, October 15, 2004 1:36 PM
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    Subject: MSXML Service Packs

    MBSA today reported that one NT server was running MSXML2.6 SP2, while
    SP3
    was the most current SP available. On that system and others, it also
    reported that MSXML 3 SP4 was installed, while SP5 was the most current
    SP
    available. Admittedly, I had not run MBSA against these particular
    machines
    in a while. I keep up with patches, but MSXML and MDAC updates do not
    seem
    to get distributed by way of Windows Update, nor does it detect needed
    updates to MSXML or MDAC - but MBSA checks them both.

    The problem is that no trace of SP3 for MSXML 2.6, or of SP5 for MSXML
    3,
    can be found anywhere on any Microsoft websites, or other sites. There
    is
    currently NO published information available, on the Microsoft XML
    websites
    or elsewhere, about MSXML2.6, and the latest version of MSXML 3
    available is
    SP4.

    Resolution:
    MSXML 3 SP4 and MSXML4 SP2 are available online. Get current versions
    of
    MSXML 3 and 4 at msdn.microsoft.com/XMLDownloads

    For MSXML2.6, go to knowledgebase article 823490; download and install
    the
    msxml file. Although the article does not mention MSXML 2.6 SP3, that
    is
    what you are getting.

    If anyone knows of a proper way to remove or uninstall old versions of
    MSXML, I think a lot of folks would like to hear it. At least one
    Microsoft
    rep has publicly stated that old versions of MSXML cannot be removed.
    They
    are not listed in Add/Remove Programs. It might be as simple as
    unregistering the dll files, and deleting them, but I'm not certain of
    that,
    or of what other effects such action would trigger. As I stated, I'm
    open
    to suggestion.

    Joe Dance
    University of South Carolina

    ---
    [This E-mail scanned for viruses by Declude Virus]
    --
    NTBugtraq Editor's Note:
    Want to reply to the person who sent this message? This list is
    configured such that just hitting reply is going to result in the
    message coming to the list, not to the individual who sent the message.
    This was done to help reduce the number of Out of Office messages
    posters received. So if you want to send a reply just to the poster,
    you'll have to copy their email address out of the message and place it
    in your TO: field.
    --
    --
    NTBugtraq Editor's Note:
    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
    --
    

  • Next message: Liu Die Yu: "Re: Windows file I/O not internationalized"

    Relevant Pages

    • MSXML Service Packs
      ... MBSA today reported that one NT server was running MSXML2.6 SP2, while SP3 ... reported that MSXML 3 SP4 was installed, while SP5 was the most current SP ... can be found anywhere on any Microsoft websites, ...
      (NT-Bugtraq)
    • Re: MS02-008 on SQL 2000 server
      ... It does mention that it is fixed in W2K SP3 but only the versionof MSXML ... > The hfnetchk reported that I need to install MS02-008 (the XMLHTTP patch). ...
      (microsoft.public.security)
    • Microsoft Baseline Security
      ... The baseline security analyzer is reporting that the ... latest sp for msxml 2.6sp2 is not installed. ... sp3 and it still reported that it was not installed. ...
      (microsoft.public.win2000.security)
    • MBSA and MSXML 2.6
      ... MBSA is saying that I currently have MSXML 2.6 SP2, ... When I did a search on the net, not only is SP3 not ... it is also included in MS SQL 2000 SP3 that I ... Is there a way to manually check my version of MSXML 2.6? ...
      (microsoft.public.sqlserver.security)
    • Re: WINXP and constant the same updates for weeks. WHY ???
      ... Download Microsoft Windows Installer CleanUp utility ... Install this tool on the computer. ... See if you can find MSXML software. ...
      (microsoft.public.windowsupdate)