Virtual PC 2007 (SP1) silently installs vulnerable MSXML6

Virtual PC 2007 (SP1) silently installs vulnerable MSXML6
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Virtual PC 2007 (SP1) silently installs vulnerable MSXML6 Stefan Kanthak 05-16-2008
Posted by Stefan Kanthak on May 16, 2008, 1:52 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi @ll,

one more chapter in the book "How Microsoft lives Trustworthy
Computing". NOT!

Yesterday the "Virtual PC 2007 Service Pack 1" was published on the
Microsoft Download Center.
The SETUP.EXE (32 bit) available for download there contains but an
outdated and vulnerable MSXML6 (msxml6-KB927977-enu-x86.exe to be
precise; notice the ENU, even in the GERMAN SETUP.EXE).

This MSXML6 gets installed (in case no newer MSXML6 is already
present on the target system) WITHOUT ANY notice even before the
first MSI dialog of VPC is displayed, i.e. the users system is
altered even if s/he choses to abort the installation (or the
installation aborts itself, as is the case on Windows 2000).

Where has the QA department been sleeping lately?

Stefan

PS: "Virtual PC 2007" has the same error too.


Posted by Chris Wood on May 28, 2008, 10:36 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Stefan,

Is this on XP SP3? I wonder if this is related
http://forums.microsoft.com:80/MSDN/ShowPost.aspx?PostID=3267649&SiteID=1

Chris

> Hi @ll,
>
> one more chapter in the book "How Microsoft lives Trustworthy
> Computing". NOT!
>
> Yesterday the "Virtual PC 2007 Service Pack 1" was published on the
> Microsoft Download Center.
> The SETUP.EXE (32 bit) available for download there contains but an
> outdated and vulnerable MSXML6 (msxml6-KB927977-enu-x86.exe to be
> precise; notice the ENU, even in the GERMAN SETUP.EXE).
>
> This MSXML6 gets installed (in case no newer MSXML6 is already
> present on the target system) WITHOUT ANY notice even before the
> first MSI dialog of VPC is displayed, i.e. the users system is
> altered even if s/he choses to abort the installation (or the
> installation aborts itself, as is the case on Windows 2000).
>
> Where has the QA department been sleeping lately?
>
> Stefan
>
> PS: "Virtual PC 2007" has the same error too.
>



Posted by Chris Wood on May 28, 2008, 10:40 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Seems that msxml6r.dll is now protected by Windows XP SP3.

Chris

> Stefan,
>
> Is this on XP SP3? I wonder if this is related
> http://forums.microsoft.com:80/MSDN/ShowPost.aspx?PostID=3267649&SiteID=1
>
> Chris
>
>> Hi @ll,
>>
>> one more chapter in the book "How Microsoft lives Trustworthy
>> Computing". NOT!
>>
>> Yesterday the "Virtual PC 2007 Service Pack 1" was published on the
>> Microsoft Download Center.
>> The SETUP.EXE (32 bit) available for download there contains but an
>> outdated and vulnerable MSXML6 (msxml6-KB927977-enu-x86.exe to be
>> precise; notice the ENU, even in the GERMAN SETUP.EXE).
>>
>> This MSXML6 gets installed (in case no newer MSXML6 is already
>> present on the target system) WITHOUT ANY notice even before the
>> first MSI dialog of VPC is displayed, i.e. the users system is
>> altered even if s/he choses to abort the installation (or the
>> installation aborts itself, as is the case on Windows 2000).
>>
>> Where has the QA department been sleeping lately?
>>
>> Stefan
>>
>> PS: "Virtual PC 2007" has the same error too.
>>
>
>



Posted by Stefan Kanthak on May 28, 2008, 4:47 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
~~~~~~~~~~~~~~~~~~~~~~~
Really?

> Stefan,
>
> Is this on XP SP3?

No. XP SP3 (as well as Server 2008 and Vista; all three are the intended
hosts of VPC2007SP1) has the current MSXML6, so the distribution of the
MSXML update with VPC2007SP1 is USELESS!

> I wonder if this is related
> http://forums.microsoft.com:80/MSDN/ShowPost.aspx?PostID=3267649&SiteID=1

I suspect the same cause: MSXML6 is uptodate on XP SP3.

> Chris

ARGH! Please stop top posting.

Stefan

>> Hi @ll,
>>
>> one more chapter in the book "How Microsoft lives Trustworthy
>> Computing". NOT!
>>
>> Yesterday the "Virtual PC 2007 Service Pack 1" was published on the
>> Microsoft Download Center.
>> The SETUP.EXE (32 bit) available for download there contains but an
>> outdated and vulnerable MSXML6 (msxml6-KB927977-enu-x86.exe to be
>> precise; notice the ENU, even in the GERMAN SETUP.EXE).
>>
>> This MSXML6 gets installed (in case no newer MSXML6 is already
>> present on the target system) WITHOUT ANY notice even before the
>> first MSI dialog of VPC is displayed, i.e. the users system is
>> altered even if s/he choses to abort the installation (or the
>> installation aborts itself, as is the case on Windows 2000).
>>
>> Where has the QA department been sleeping lately?
>>
>> Stefan
>>
>> PS: "Virtual PC 2007" has the same error too.
>>


Similar ThreadsPosted
client OS security under Virtual PC 2007 August 3, 2007, 12:34 pm
XML Notepad silently contacting RIPE January 29, 2008, 11:05 pm
Why was IE6 vulnerable to the wmf exploit? January 5, 2006, 7:45 pm
Vulnerable, Outdated, Dangerous DLLS May 8, 2008, 4:12 pm
Auto downloads and installs -- ? March 9, 2008, 3:07 am
Latest Matrox PowerDesk SE distributes vulnerable DLLs May 20, 2007, 9:01 pm
Restrict Installs to only be from local network October 11, 2005, 10:19 am
On going ftp server installs and trojan drops August 2, 2006, 9:35 am
MS05-039 breaks when integrated into unattended installs January 15, 2006, 7:11 pm
NAP and Virtual Machines August 1, 2008, 11:24 am

The site map in XML format XML site map

Contact Us | Privacy Policy