MSXML 4.0 Vulnerability Remediation

In the fall of 2014, USGS system administrators started receiving warning messages from the Enterprise Vulnerability Management System (eVMS) from Tenable Nessus plugin 62758 about a MSXML4 vulnerability. It is rated as a Critical Severity vulnerability by NIST strictly because MSXML4 has been at End Of Life (unsupported) since 04/12/2014 as reported by Microsoft.

The following is a guide to help remove any instance of MSXML 4.0 on your systems.

File Location

MSXML 4.0 can be found in the following Windows directories:

Windows 32bit OS – C:\Windows\System32

Windows 64bit OS – C:\Windows\SysWOW64

You may see multiple instances of the msxml dll file including msxml4.dll, msxml4a.dll, and msxml4r.dll.


Known software that requires MSXML 4.0

ArcGIS Desktop prior to patched version 10.2.2 – Egis released a special patched version of ArcGIS Desktop 10.2.2 to remove all instances of MSXML 4.0 and the newest release of 10.3.1 does not contain MSXML 4.0.

Canvas X prior to version 15 – Canvas is a technical illustration and drawing software that removed all instances of MSXML 4.0 in it’s latest release of Version 15.

CyberPower Power Panel prior to version 1.5.3 – All previous versions should be updated to version 1.5.3 which does not require MSXML 4.

Dragon Naturally Speaking – All Versions – Company states they have no plans on updating.

FBMS prior to  SAP GUI  version 7.40, patch 3 – SAP GUI 7.4 patch 3 was required on all admin systems by October 31, 2015. See the FBMS tst page for installation instructions.

PANalytical X-ray diffractometer software – Find more information here.

Redbeam Fixed Asset Tracking version 5.5 – The current version has been updated from a stand-alone desktop application to a web-based application that does not use MSXML 4.0. See the Redbeam page from the latest version.

Roxio Creator Suite prior to NXT 3 – Any version of Roxio Creator Suite before NXT 3 required MSXML 4.0 for some of the products within the suite including the Photo Editor. See the roxio creator page for updated versions.

VMware vCenter Update Manager 5.x/6.0 – This issue was resolved with the release of 6.0 Update 1, 5.5 Update 3, and 5.1 Update 3b. More information can be found here.

Removing the Vulnerability

In most cases, uninstalling the software that installed MSXML 4.0 as a prerequisite will remove the instance of MSXML 4.0 from your system.  If the instance of MSXML 4.0 has been patched to SP2 or SP3, you should see an entry for it in Programs and Features as seen below.

Just uninstalling that entry, will not clear the vulnerability.

Since the eVMS plugin is based on the dll files listed above, the best results have been seen when renaming the .dll files to something else like .old.

This method of renaming the .dll will also help pinpoint the dependent software as it will no longer be able to reach the MSXML 4.0 files and will throw errors on launch as follows:

Comments are closed.