Incident Response, TDR, Vulnerability Management

Report: Old bugs in Microsoft XML still haunt users, program ‘most exposed’

A quarterly report revealing the “most exposed” programs on users' systems, found that old vulnerabilities in Microsoft XML Core Services continued to plague users.

Last week, vulnerability management firm Secunia released its Q2 2014 stats on vulnerable software, which it determined using its security scanner PSI. In the U.S., Microsoft XML Core Services 4 was said to pose the biggest risk to PC users, due to its market share and number of users running unpatched software.

According to the US report (PDF), 43 percent of users ran vulnerable versions of MSXML 4. The product was the only one (on the top 10 list of exposed programs) where no vulnerabilities had been publicly disclosed in the last four quarters. MSXML allows developers to build XML-based applications under the World Wide Web Consortium (W3C) XML standards.

In emailed comments to, Kasper Lingaard, director of research and security at Secunia, addressed the concerning trend.

“Although no new vulnerabilities have been discovered in Microsoft XML Core Services 4 for the past 12 months, two old vulnerabilities continue to haunt PC users who still haven't patched,” he wrote. “In the US, 79% of PC users who use the Secunia PSI had Microsoft XML Core Services installed...Forty-three percent of these users had not patched the program, even though a patch is available.”

Lingaard said that "since older MSXML service packs are considered end-of-life, users are not being offered patches as they normally would," via Windows Update, for instance.

Worse yet, he added, was that the firm had not seen considerable improvements in the figures in recent years. MSXML has topped the firm's list of most exposed programs since December 2012, Lingaard noted.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.