Virtual PC 2007 (SP1) silently installs vulnerable MSXML6

S

Stefan Kanthak

Guest
Hi @ll,

one more chapter in the book "How Microsoft lives Trustworthy

Computing". NOT!

Yesterday the "Virtual PC 2007 Service Pack 1" was published on the

Microsoft Download Center.

The SETUP.EXE (32 bit) available for download there contains but an

outdated and vulnerable MSXML6 (msxml6-KB927977-enu-x86.exe to be

precise; notice the ENU, even in the GERMAN SETUP.EXE).

This MSXML6 gets installed (in case no newer MSXML6 is already

present on the target system) WITHOUT ANY notice even before the

first MSI dialog of VPC is displayed, i.e. the users system is

altered even if s/he choses to abort the installation (or the

installation aborts itself, as is the case on Windows 2000).

Where has the QA department been sleeping lately?

Stefan

PS: "Virtual PC 2007" has the same error too.

 
C

Chris Wood

Guest
Stefan,

Is this on XP SP3? I wonder if this is related

http://forums.microsoft.com:80/MSDN/ShowPo...267649&SiteID=1

Chris

"Stefan Kanthak" <postmaster@[127.0.0.1]> wrote in message

news:e4BaX23tIHA.4492@TK2MSFTNGP02.phx.gbl...<span style="color:blue">

> Hi @ll,

>

> one more chapter in the book "How Microsoft lives Trustworthy

> Computing". NOT!

>

> Yesterday the "Virtual PC 2007 Service Pack 1" was published on the

> Microsoft Download Center.

> The SETUP.EXE (32 bit) available for download there contains but an

> outdated and vulnerable MSXML6 (msxml6-KB927977-enu-x86.exe to be

> precise; notice the ENU, even in the GERMAN SETUP.EXE).

>

> This MSXML6 gets installed (in case no newer MSXML6 is already

> present on the target system) WITHOUT ANY notice even before the

> first MSI dialog of VPC is displayed, i.e. the users system is

> altered even if s/he choses to abort the installation (or the

> installation aborts itself, as is the case on Windows 2000).

>

> Where has the QA department been sleeping lately?

>

> Stefan

>

> PS: "Virtual PC 2007" has the same error too.

> </span>

 
C

Chris Wood

Guest
Seems that msxml6r.dll is now protected by Windows XP SP3.

Chris

"Chris Wood" <anonymous@microsoft.com> wrote in message

news:uCkTvANwIHA.5448@TK2MSFTNGP04.phx.gbl...<span style="color:blue">

> Stefan,

>

> Is this on XP SP3? I wonder if this is related

> http://forums.microsoft.com:80/MSDN/ShowPo...267649&SiteID=1

>

> Chris

>

> "Stefan Kanthak" <postmaster@[127.0.0.1]> wrote in message

> news:e4BaX23tIHA.4492@TK2MSFTNGP02.phx.gbl...<span style="color:green">

>> Hi @ll,

>>

>> one more chapter in the book "How Microsoft lives Trustworthy

>> Computing". NOT!

>>

>> Yesterday the "Virtual PC 2007 Service Pack 1" was published on the

>> Microsoft Download Center.

>> The SETUP.EXE (32 bit) available for download there contains but an

>> outdated and vulnerable MSXML6 (msxml6-KB927977-enu-x86.exe to be

>> precise; notice the ENU, even in the GERMAN SETUP.EXE).

>>

>> This MSXML6 gets installed (in case no newer MSXML6 is already

>> present on the target system) WITHOUT ANY notice even before the

>> first MSI dialog of VPC is displayed, i.e. the users system is

>> altered even if s/he choses to abort the installation (or the

>> installation aborts itself, as is the case on Windows 2000).

>>

>> Where has the QA department been sleeping lately?

>>

>> Stefan

>>

>> PS: "Virtual PC 2007" has the same error too.

>></span>

>

> </span>

 
S

Stefan Kanthak

Guest
"Chris Wood" <anonymous@microsoft.com> schrieb:

~~~~~~~~~~~~~~~~~~~~~~~

Really?

<span style="color:blue">

> Stefan,

>

> Is this on XP SP3?</span>

No. XP SP3 (as well as Server 2008 and Vista; all three are the intended

hosts of VPC2007SP1) has the current MSXML6, so the distribution of the

MSXML update with VPC2007SP1 is USELESS!

<span style="color:blue">

> I wonder if this is related

> http://forums.microsoft.com:80/MSDN/ShowPo...267649&SiteID=1</span>

I suspect the same cause: MSXML6 is uptodate on XP SP3.

<span style="color:blue">

> Chris</span>

ARGH! Please stop top posting.

Stefan

<span style="color:blue">

> "Stefan Kanthak" <postmaster@[127.0.0.1]> wrote in message

> news:e4BaX23tIHA.4492@TK2MSFTNGP02.phx.gbl...<span style="color:green">

>> Hi @ll,

>>

>> one more chapter in the book "How Microsoft lives Trustworthy

>> Computing". NOT!

>>

>> Yesterday the "Virtual PC 2007 Service Pack 1" was published on the

>> Microsoft Download Center.

>> The SETUP.EXE (32 bit) available for download there contains but an

>> outdated and vulnerable MSXML6 (msxml6-KB927977-enu-x86.exe to be

>> precise; notice the ENU, even in the GERMAN SETUP.EXE).

>>

>> This MSXML6 gets installed (in case no newer MSXML6 is already

>> present on the target system) WITHOUT ANY notice even before the

>> first MSI dialog of VPC is displayed, i.e. the users system is

>> altered even if s/he choses to abort the installation (or the

>> installation aborts itself, as is the case on Windows 2000).

>>

>> Where has the QA department been sleeping lately?

>>

>> Stefan

>>

>> PS: "Virtual PC 2007" has the same error too.

>> </span></span>

 
You must log in or register to reply here.
Top Bottom