Unsupported MSXML (CVE-2019-0795)
**Disclaimer**: Please note that the following actions involve making changes to your system. We provide this information for guidance purposes only. We are not responsible for any damage or loss that may occur as a result of implementing these steps. It is recommended to proceed with caution and have a valid backup of your server before making any modifications.
Vulnerability Details Unsupported MSXML
The remote host contains one or more unsupported versions of the Microsoft XML Parser (MSXML) or XML Core Services. Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain security vulnerabilities.
Severity Rating
Critical
How to Verify if a Device is Vulnerable
Use Nessus plugin ID 62758 to scan the device and check for unsupported DLL versions. Check the file versions manually and compare the version and support status with the list here.
What You Should Be Aware of if You Apply a Fix
Some applications that are running on the device may depend on the unsupported XML parsers and may stop working properly after removing them. For example, the latest Microsoft SQL Server Management Studio (SSMS) v.18.12.1 is still dependent on the MSXML 3.0. You need to check and test the applications after applying a fix.
How to Fix
First, check if the server is fully updated with Microsoft updates and still is supported. Many times, the MSXML DLL is being updated with another Windows application. If that is not being updated, then MSXML is not updated either.
Check if the DLL file is loaded. This can be done with the command tasklist /m msxml4.dll as an administrator, which will show which app has loaded the DLL. Make sure this app is fully updated or removed if it is not used anymore.
Manual removal
- Go to Control Panel > Programs and Features and uninstall MSXML 4.0 SP2 parser and SDK if present.
- Run regsvr32 /u msxml4.dll as an administrator to unregister the DLL file if it is no longer needed.
- Go to C:\Windows\System32 and C:\Windows\SysWOW64 and delete any files with names starting with msxml4.
- Restart the device.
GPO
n/a
Scripts
Powershell script to show versions of MSXML
# Get all MSXML DLLs in System32 and SysWOW64 folders
$msxml4 = Get-ChildItem -Path C:\Windows\System32, C:\Windows\SysWOW64 -Filter msxml*.dll
# Loop through each DLL and check its file version
foreach ($dll in $msxml4) {
# Get the file version of the DLL
$version = (Get-ItemProperty -Path $dll.FullName).VersionInfo.FileVersion
Write-Output “$($dll.Name) – $version”
}
Rollback
- If you need to restore the unsupported XML parsers for some reason, you can reinstall the application which uses it or restore the server from backup.
How to Verify the Fix
- Rescan the device with Nessus plugin ID 62758 and check for any remaining unsupported DLL versions.
- Test the applications that may depend on the XML parsers and ensure they are working properly.
Preventative Measures
- Upgrade the software packages responsible for the unsupported DLL versions or upgrade to a supported version of Windows.
- Monitor Microsoft’s advisories and updates for any security issues related to XML parsers.
Links (for additional resources and references)
https://www.tenable.com/plugins/nessus/62758
https://learn.microsoft.com/en-US/previous-versions/troubleshoot/msxml/list-of-xml-parser-versions