Virtual PC 2007 (SP1) silently installs vulnerable MSXML6

  • Thread starter Thread starter Stefan Kanthak
  • Start date Start date
S

Stefan Kanthak

Hi @ll,

one more chapter in the book "How Microsoft lives Trustworthy
Computing". NOT!

Yesterday the "Virtual PC 2007 Service Pack 1" was published on the
Microsoft Download Center.
The SETUP.EXE (32 bit) available for download there contains but an
outdated and vulnerable MSXML6 (msxml6-KB927977-enu-x86.exe to be
precise notice the ENU, even in the GERMAN SETUP.EXE).

This MSXML6 gets installed (in case no newer MSXML6 is already
present on the target system) WITHOUT ANY notice even before the
first MSI dialog of VPC is displayed, i.e. the users system is
altered even if s/he choses to abort the installation (or the
installation aborts itself, as is the case on Windows 2000).

Where has the QA department been sleeping lately?

Stefan

PS: "Virtual PC 2007" has the same error too.
 
Stefan,

Is this on XP SP3? I wonder if this is related
http://forums.microsoft.com:80/MSDN/ShowPo...267649&SiteID=1

Chris

"Stefan Kanthak" wrote in message
news:e4BaX23tIHA.4492@TK2MSFTNGP02.phx.gbl...
> Hi @ll,
>
> one more chapter in the book "How Microsoft lives Trustworthy
> Computing". NOT!
>
> Yesterday the "Virtual PC 2007 Service Pack 1" was published on the
> Microsoft Download Center.
> The SETUP.EXE (32 bit) available for download there contains but an
> outdated and vulnerable MSXML6 (msxml6-KB927977-enu-x86.exe to be
> precise notice the ENU, even in the GERMAN SETUP.EXE).
>
> This MSXML6 gets installed (in case no newer MSXML6 is already
> present on the target system) WITHOUT ANY notice even before the
> first MSI dialog of VPC is displayed, i.e. the users system is
> altered even if s/he choses to abort the installation (or the
> installation aborts itself, as is the case on Windows 2000).
>
> Where has the QA department been sleeping lately?
>
> Stefan
>
> PS: "Virtual PC 2007" has the same error too.
>
 
Seems that msxml6r.dll is now protected by Windows XP SP3.

Chris

"Chris Wood" wrote in message
news:uCkTvANwIHA.5448@TK2MSFTNGP04.phx.gbl...
> Stefan,
>
> Is this on XP SP3? I wonder if this is related
> http://forums.microsoft.com:80/MSDN/ShowPo...267649&SiteID=1
>
> Chris
>
> "Stefan Kanthak" wrote in message
> news:e4BaX23tIHA.4492@TK2MSFTNGP02.phx.gbl...
>> Hi @ll,
>>
>> one more chapter in the book "How Microsoft lives Trustworthy
>> Computing". NOT!
>>
>> Yesterday the "Virtual PC 2007 Service Pack 1" was published on the
>> Microsoft Download Center.
>> The SETUP.EXE (32 bit) available for download there contains but an
>> outdated and vulnerable MSXML6 (msxml6-KB927977-enu-x86.exe to be
>> precise notice the ENU, even in the GERMAN SETUP.EXE).
>>
>> This MSXML6 gets installed (in case no newer MSXML6 is already
>> present on the target system) WITHOUT ANY notice even before the
>> first MSI dialog of VPC is displayed, i.e. the users system is
>> altered even if s/he choses to abort the installation (or the
>> installation aborts itself, as is the case on Windows 2000).
>>
>> Where has the QA department been sleeping lately?
>>
>> Stefan
>>
>> PS: "Virtual PC 2007" has the same error too.
>>
>
>
 
"Chris Wood" schrieb:
~~~~~~~~~~~~~~~~~~~~~~~
Really?

> Stefan,
>
> Is this on XP SP3?

No. XP SP3 (as well as Server 2008 and Vista all three are the intended
hosts of VPC2007SP1) has the current MSXML6, so the distribution of the
MSXML update with VPC2007SP1 is USELESS!

> I wonder if this is related
> http://forums.microsoft.com:80/MSDN/ShowPo...267649&SiteID=1

I suspect the same cause: MSXML6 is uptodate on XP SP3.

> Chris

ARGH! Please stop top posting.

Stefan

> "Stefan Kanthak" wrote in message
> news:e4BaX23tIHA.4492@TK2MSFTNGP02.phx.gbl...
>> Hi @ll,
>>
>> one more chapter in the book "How Microsoft lives Trustworthy
>> Computing". NOT!
>>
>> Yesterday the "Virtual PC 2007 Service Pack 1" was published on the
>> Microsoft Download Center.
>> The SETUP.EXE (32 bit) available for download there contains but an
>> outdated and vulnerable MSXML6 (msxml6-KB927977-enu-x86.exe to be
>> precise notice the ENU, even in the GERMAN SETUP.EXE).
>>
>> This MSXML6 gets installed (in case no newer MSXML6 is already
>> present on the target system) WITHOUT ANY notice even before the
>> first MSI dialog of VPC is displayed, i.e. the users system is
>> altered even if s/he choses to abort the installation (or the
>> installation aborts itself, as is the case on Windows 2000).
>>
>> Where has the QA department been sleeping lately?
>>
>> Stefan
>>
>> PS: "Virtual PC 2007" has the same error too.
>>
 
Back
Top