msxml4.dll (dated 22.09.2009) installed by Dewesoft-Setup causes critical vulnerability listing
Our IT-Services-Department did a vulnerability scan on our systems.
They found "msxml4.dll" (dated 22.09.2009) in Directory "C:\Windows\SysWOW64", with critical vulnerability listing:
XML Core version : 4.0 Post SP3 (KB2758694), EOL date : 2014/04/12
Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain security vulnerabilities.
Dewesoft-Setup installs this library with MS XML Parser 4.0 during setup.
Is this library neccessary? Can we delete it without issues in Dewesoft?
Customer Support Engineer
Dear Stefan,
Thank you for noticing this. We will change DLL in order prevent vulnerability. I will let you know about the progress and details of the new version.
Regarding your last question I must say that you're not able delete this library because it is neccesarry to load setup files, project files, etc. properly.
I hope this answers your question.
Best regards
Hello Matic,
thanks for reply.
It is really urgent, since we have to uninstall the outdated MSXML or XML Core Services to carve out this critical issue.
Only msxml libs by support policy of the WinOS should be used (actual supported: MSXML 3.0 and 6.0).
this are the links to msxml at Microsoft.com:
http://www.nessus.org/u?92132729
http://www.nessus.org/u?cfb1b524
Customer Support Engineer
Dear Stefan,
Understand your concern. I would like to update you that changing the MSXML is still in development process on our side. I will keep you updated about the progress.
Best regards
Customer Support Engineer
Dear Stefan,
If you navigate to "C:\Windows\SysWOW64" and find v3 and v6 in the folder you can delete msxml4.dll and msxml4r.dll and keep v3 and v6. Loading setup or project files will be correct as long as there are v3 and v6.
I will let you know when we prepare DewesoftX that update will take care for this steps.
BR
Customer Support Engineer
Hi,
We would like to inform you that the new installer for DewesoftX only installs MSXML 3.0 which is not marked as vulnerable. Please note that installer doesn't delete msxml4.dll. This step should be performed manually. But if you perform clean install only MSXML 3.0 is installed.
The new installer for DewesoftX OFFICIAL RELEASE version (2022.1) is already available on Download Center on this link: https://download.dewesoft.com/list/dewesoftx/dewesoftx-official-release-version.
Regards