Contact us
Distributors
Downloads
Software registration
RMA service
Forum discussions
Support portal
Developer portal

msxml4.dll (dated 22.09.2009) installed by Dewesoft-Setup causes critical vulnerability listing

  • Software
  • msxml4.dll (dated 22.09.2009) installed by Dewesoft-Setup causes critical vulnerability listing
Stefan J

Posted on 09.02.2022 16:15
Login to reply

Our IT-Services-Department did a vulnerability scan on our systems.

They found "msxml4.dll" (dated 22.09.2009) in Directory "C:\Windows\SysWOW64", with critical vulnerability listing:


XML Core version : 4.0 Post SP3 (KB2758694), EOL date : 2014/04/12

Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain security vulnerabilities.


Dewesoft-Setup installs this library with MS XML Parser 4.0 during setup.

Is this library neccessary? Can we delete it without issues in Dewesoft?


Matic Pevec
Customer Support Engineer
Posted on 16.02.2022 11:29
Login to reply

Dear Stefan,


Thank you for noticing this. We will change DLL in order prevent vulnerability. I will let you know about the progress and details of the new version.


Regarding your last question I must say that you're not able delete this library because it is neccesarry to load setup files, project files, etc. properly.


I hope this answers your question.


Best regards

Stefan J

Posted on 16.02.2022 12:31
Login to reply

Hello Matic,

thanks for reply.

It is really urgent, since we have to uninstall the outdated MSXML or XML Core Services to carve out this critical issue.

Only msxml libs by support policy of the WinOS should be used (actual supported: MSXML 3.0 and 6.0).


this are the links to msxml at Microsoft.com:

http://www.nessus.org/u?92132729

http://www.nessus.org/u?cfb1b524

Matic Pevec
Customer Support Engineer
Posted on 23.02.2022 10:04
Login to reply

Dear Stefan,


Understand your concern. I would like to update you that changing the MSXML is still in development process on our side. I will keep you updated about the progress.


Best regards

Matic Pevec
Customer Support Engineer
Posted on 10.03.2022 09:40
Login to reply

Dear Stefan,


If you navigate to "C:\Windows\SysWOW64" and find v3 and v6 in the folder you can delete msxml4.dll and msxml4r.dll and keep v3 and v6. Loading setup or project files will be correct as long as there are v3 and v6.


I will let you know when we prepare DewesoftX that update will take care for this steps.


BR

Matic Pevec
Customer Support Engineer
Posted on 11.05.2022 11:18
Login to reply

Hi,


We would like to inform you that the new installer for DewesoftX only installs MSXML 3.0 which is not marked as vulnerable. Please note that installer doesn't delete msxml4.dll. This step should be performed manually. But if you perform clean install only MSXML 3.0 is installed.


The new installer for DewesoftX OFFICIAL RELEASE version (2022.1) is already available on Download Center on this link: https://download.dewesoft.com/list/dewesoftx/dewesoftx-official-release-version.


Regards


Login to reply to this topic. If you don't have account yet, you can signup for free account .