Jeremy Dallman here with some important information from the MSXML team to the IE development community. The XML Team’s Blog has recently announced that they will be issuing a kill-bit for MSXML4 at the end of 2007 (October-December timeframe). Please read through the below post copied from the XML Team’s Blog and start validating your applications against MSXML6.
They have provided an email address to field your questions or concerns. Please don’t hesitate to contact them with your feedback.
Jeremy DallmanProgram Manager
[from the MSXML Blog]
As a part of our MSXML4 End of Life plan , we are going to kill bit MSXML4 in the October – December timeframe of this year. This kill bit applies to Internet Explorer only. After the kill bit, web applications will not be able to create MSXML4 objects in the browser. Applications which are not kill-bit aware will continue to work with MSXML4.
We are announcing this in advance so that our customers get sufficient time to try their applications with MSXML6 and give us feedback on their experience. Please email us at msxml4@microsoft.com with feedback/questions/concerns.
Why:
We are going to kill-bit MSXML4 to ensure a secure browsing experience for our customers. We are planning to also remove MSXML4 from the Download Center page within the next 12 months. Support for MSXML4 going forward will be restricted to high impact security issues only.
MSXML6 is the latest version available to MSXML customers today. This is where all the functionality, performance and security improvements are going in. In addition MSXML6 provides improved W3C compliance and increased compatibility with System.XML in .Net. The recommendation for MSXML customers is to program using MSXML6 and upgrade apps using older versions to MSXML6.
We strongly encourage everyone to start using MSXML6 SP1. MSXML6 SP1 is now available for all supported down-level platforms and can be downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyID=d21c292c-368b-4ce1-9dab-3e9827b70604&displaylang=en
MSXML Supported Versions:
We addressed this in a blog entry http://blogs.msdn.com/xmlteam/archive/2006/10/23/using-the-right-version-of-msxml-in-internet-explorer.aspx
The summary is:
MSXML6 - Should be your first choice. This is the MSXML version that will be carried forward. MSXML6 shipped with Vista and we are working on getting this in downlevel OS Service Packs
MSXML3 – This has the advantage of having shipped with every supported OS .We are committed to keeping MSXML3 robust and stable but won’t be adding any functional improvements.
MSXML4 - This is in maintenance mode with a very high bar for fixes approaching End of Life.
MSXML 5 – Exclusively meant for Office. Do not take any dependencies on it.
MSXML4 & 6 Differences and Compatibility:
Key changes introduced between MSXML4 and MSXML6 and migration are described in the blog entry at http://blogs.msdn.com/xmlteam/archive/2007/03/12/upgrading-to-msxml-6-0.aspx
Summary:
We believe this is the best plan for MSXML customers going forward – avoids confusion regarding multiple versions, ensures a safe browsing experience when using MSXML and provides a path to use future functional improvements . If you run into issues with the migration or have questions/feedback feel free to contact us at msxml4@microsoft.com . All of the MSXML team is on this alias eager to hear your feedback and assist with the migration.
Is there a way to disable MS XML 4 already now?
Hi Jorrit,
setting the killbit manually should work:
---8<---
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{88d969c5-f192-11d4-a65f-0040963251e5}]
"Compatibility Flags"=dword:00000400
--->8---
See also http://www.microsoft.com/technet/security/bulletin/MS06-071.mspx
and there under "Vulnerability Details -> Worarounds for Microsoft XML Core Services Vulnerability"
HTH,
Freudi
Well, I really "love" the double linebreaks here in the Comments section :-/
Should read:
Hope it works this time (no blank line between ---8<--- and REGEDIT4 and no one between [HKEY_LOCAL_MACHINE\...] and "Compatibility Flags")
Sorry,
This will cause a lot of problems for our applications....
Why then is Microsoft continuing to support MSXML 3? Isn't that even more unsecure than MSXML 4?
"Why then is Microsoft continuing to support MSXML 3? Isn't that even more unsecure than MSXML 4?"
The way I read it, MSXML3 is a very basic set of XML tools that is used often as a base for other tools.
"This will cause a lot of problems for our applications...."
Sounds like you need a better software architect then ;)
As my namesake might say "I don't believe it!"
I can understand moving things forward, but why force everyone by releasing the killbit?
Especially as v6 won't run on 98!
So... to be compatible with 98 we are going to have to detect the OS and load a different XML object.
Oh joy!
"to be compatible with 98"
What are you doing to support Windows 3.1?
@Richard Wilson: Is your application running inside Internet Explorer? If not, does it check the killbit itself? If not, then your application will not be affected.
I hope you'll block all MSXML requests installations from IE7, because many sites try to install a MSXML SPx for something, but this is not safe, becase how can know an user if is really needed and safe? All these activex requestes generate confusion from IE users.
I hope for next IE8 you create a new way to handle the activex components, i.e. I'd like having the possibility to choose which particular activex I want to run i.e. having a list and deny all others. For example I want disable activex for all, except flash activex plug-in.
@cas
"I'd like having the possibility to choose which particular activex I want to run i.e. having a list and deny all others. For example I want disable activex for all, except flash activex plug-in. "
You mean like "Manage Add-ons"? Which has a list of Active X components you can "Enabled" and "Disable" as you see fit?
Otherwise, if you don't want to run the component, don't elect to install it when it asks you.
MSXML4 is very unsecure, i think we should be able to have a choice whether or not to disable and enable it
Most IE7 MSXML4 are disabled in my IE7 now but hopefully in a later date all goes well
"I can understand moving things forward, but why force everyone by releasing the killbit?
So... to be compatible with 98 we are going to have to detect the OS and load a different XML object."
98 doesn't get any more security updates, so it will never get this killbit. Probably the best thing to do is try to instantiate V6, and if that fails instantiate V4.
I am struggling to understand "After the kill bit, web applications will not be able to create MSXML4 objects in the browser. Applications which are not kill-bit aware will continue to work with MSXML4. ".
We have certain COM components that use MSXML parser. These COM components are used in both desktop and web application.
Are we affected?
By "in browser" do you mean the client side of web applications?
How can I figure out that my application is kill-bit aware?
Forgive me if I sound naive. I sound naive because ... :-)
"How can I figure out that my application is kill-bit aware?"
Set the kill bit in the registry as described in a previous comment on a test machine and then TEST your application.