Why Microsoft XML Core Services is the most exposed program on private PCs for 11 months running

The Secunia Country Reports for Q3 2013 have just aired and once again Microsoft XML Core Services (MSXML) 4.x tops the list of “Most Exposed” software among users of the Secunia PSI.
Microsoft XML Core Services has topped the list since December 2012.

There are currently 2 vulnerabilities in Microsoft XML Core Services.
The vulnerabilities affect a large percentage of computer users, as can be seen from the Secunia Country Reports, which describe the state of security on private computers. The reports have the Microsoft program topping the list in 12 different countries.
The data from the US Country Report serves as an example of how widespread the program – and how large the number of users that have not yet patched it – is:

In the US, 79% of PC users who use Secunia PSI had Microsoft XML Core Services installed in Q3 2013. 50 % of these users had not patched the program, even though a patch is available. This means that an estimated 39.5 % of US PCs are made vulnerable by MSXML 4.
And since we can assume that computer users who install the Secunia PSI on their PCs are more security aware than the average user, we suspect that 39.5 % is a conservative number.

So why does a Microsoft program top the list, when Microsoft is known for pushing automatic security updates to its users, thus ensuring that vulnerabilities in Microsoft programs are patched quickly, effectively and automatically?

The reason MSXML is topping the list is because of the way updates for the software are being handled:

Normally, patches for Microsoft products are being offered through Windows Update. But in the case of MSXML, patches are only offered for MSXML Service Pack 3. Since older MSXML Service Packs are considered End-of-Life, users are not being offered patches as they normally would.

This can be remedied by installing the latest service pack for the software, which is also offered to consumers through the Secunia PSI and to businesses through the Secunia CSI.

Once the latest service pack is installed, patches will once again be offered correctly through Windows Update.

Leave a Reply

Your email address will not be published. Required fields are marked *