Last week there was a post which finally helped me emerge from the shrouding mists of confusion on MSXML versions. After reading this, I was finally put at ease about which versions are which, and which to use.
Now, apparently, there is a zero-day exploit on MSXML 4. But, according to the well timed post above, we really shouldn’t be using MSXML 4. In fact, Adam made it clear that MSXML 6 is the one to use, if you need MSXML 4 functionality:
MSXML4 was a predecessor to MSXML6 but hasn’t ever shipped in the operating system. MSXML6 is a significant step forward in terms of reliability, security, W3C and System.Xml compatibility, and it also has support for native 64-bit environments. Right now we are investing much more heavily in MSXML6 and MSXML3 and we’re encouraging our customers to move to 6 when possible and 3 when necessary.
So, I recommend you kill MSXML 4 from being used on your machine from IE. You can do this with the registry, by setting what is known as the "kill bit". Here’s how you do that from the command line (forget the .reg file approach MS outlines in the workaround).
reg add "HKLMSoftwareMicrosoftInternet ExplorerActiveX Compatibility{88d969c5-f192-11d4-a65f-0040963251e5}" /v "Compatibility Flags" /t REG_DWORD /d 0x400
Of course, this will break sites which use MSXML 4 – but they shouldn’t be doing so. Kindly write them and ask them to redo this bit, pointing to the above clarification on MSXML.
Filed under: Administration