SUMMARY
A vulnerability is encountered when manually installing the agent for the Microsoft XML Parser (MSXML) or XML Core Services.
ISSUE
Manually installing the Unitrends agent creates an alert for a vulnerability in the OS related to the the Microsoft XML Parser (MSXML) or XML Core Services similar to:
Description
The remote host contains one or more unsupported versions of the Microsoft XML Parser (MSXML) or XML Core Services.
Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain security vulnerabilities.
Note that support for MSXML 3.0 and 6.0 is based on the support policy of the operating system on which it is installed. Support for MSXML 5.0 is based on the Microsoft Office lifecycle policy.
Solution
Upgrade the software packages responsible for the unsupported DLL versions or upgrade to a supported version of Windows (Vista / 2008 or later). Alternatively, uninstall the outdated MSXML or XML Core Services.
See Also
https://support.microsoft.com/en-us/help/269238/list-of-microsoft-xml-parser-msxml-versions
https://docs.microsoft.com/en-us/previous-versions/windows/desktop/jj152146(v=vs.85)
Output
- Path : C:\Windows\SysWOW64\msxml4.dll
- File version : 4.20.9818.0
- XML Core version : 4.0 Post SP3 (KB2758694)
- EOL date : 2014/04/12
- EOL announcement : https://support.microsoft.com/en-us/lifecycle/search/7921
- Supported versions : 5.20.1076 (Office 2007) / 6.0 or later on a supported version of Windows (Vista / 2008 or later).
RESOLUTION
These components are included in our universal agent in order to support some 2000/2003 server systems as well as XP. The components are necessary to launch our client-side UI used for Legacy SQL support, Baremetal media creation, and more. At this time we are unable to remove these components while we continue to support some legacy OS. We expect in the future to depreciate support for some OS that are no longer supported by Microsoft itself and at that time we can remove those components, but a timeline has not been communicated at this time.
On most systems, after installing our agent you can upgrade to the current msxml release, then safely remove the msxml4.dll without production impact if the security risk is not currently acceptable.