MSXML4 to be Disabled in Late 2007


Jeremy Dallman here with some important information from the MSXML team to the IE development community. The XML Team’s Blog has recently announced that they will be issuing a kill-bit for MSXML4 at the end of 2007 (October-December timeframe). Please read through the below post copied from the XML Team’s Blog and start validating your applications against MSXML6.

They have provided an email address to field your questions or concerns. Please don’t hesitate to contact them with your feedback.

Jeremy Dallman
Program Manager
                                                          

[from the MSXML Blog]

As a part of our MSXML4 End of Life plan , we are going to kill bit MSXML4 in the October – December timeframe of this year. This kill bit applies to Internet Explorer only. After the kill bit, web applications will not be able to create MSXML4 objects in the browser. Applications which are not kill-bit aware will continue to work with MSXML4.

We are announcing this in advance so that our customers get sufficient time to try their applications with MSXML6 and give us feedback on their experience.  Please email us at msxml4@microsoft.com  with feedback/questions/concerns.

Why:

We are going to kill-bit MSXML4 to ensure a secure browsing experience for our customers. We are planning to also remove MSXML4 from the Download Center page within the next 12 months. Support for MSXML4 going forward will be restricted to high impact security issues only.

MSXML6 is the latest version available to MSXML customers today. This is where all the functionality, performance and security improvements are going in. In addition MSXML6 provides improved W3C compliance and increased compatibility with System.XML in .Net. The recommendation for MSXML customers is to program using MSXML6 and upgrade apps using older versions to MSXML6.

We strongly encourage everyone to start using MSXML6 SP1. MSXML6 SP1 is now available for all supported down-level platforms and can be downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyID=d21c292c-368b-4ce1-9dab-3e9827b70604&displaylang=en

MSXML Supported Versions:

We addressed this in a blog entry http://blogs.msdn.com/xmlteam/archive/2006/10/23/using-the-right-version-of-msxml-in-internet-explorer.aspx

The  summary is:

MSXML6  – Should be your first choice. This is the MSXML version that will be carried forward. MSXML6 shipped with Vista and we are working on getting this in downlevel OS Service Packs

MSXML3 – This has the advantage of having shipped with every supported OS .We are committed to keeping MSXML3 robust and stable but won’t be adding any functional improvements.

MSXML4  – This is in maintenance mode with a very high bar for fixes approaching End of Life.

MSXML 5 –  Exclusively meant for Office. Do not take any dependencies on it.

MSXML4 & 6 Differences and Compatibility:

Key changes introduced between MSXML4 and MSXML6 and migration are described in the blog entry at http://blogs.msdn.com/xmlteam/archive/2007/03/12/upgrading-to-msxml-6-0.aspx

Summary:

We believe this is the best plan for MSXML customers going forward – avoids confusion regarding multiple versions, ensures a safe browsing experience when using MSXML and provides a path to use future functional improvements . If you run into issues with the migration or have questions/feedback feel free to contact us at msxml4@microsoft.com . All of the MSXML team is on this alias eager to hear your feedback and assist with the migration.

Comments (37)

  1. Is there a way to disable MS XML 4 already now?

  2. Hi Jorrit,

    setting the killbit manually should work:

    —8<—

    REGEDIT4

    [HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{88d969c5-f192-11d4-a65f-0040963251e5}]

    "Compatibility Flags"=dword:00000400

    —>8—

    See also http://www.microsoft.com/technet/security/bulletin/MS06-071.mspx

    and there under "Vulnerability Details -> Worarounds for Microsoft XML Core Services Vulnerability"

    HTH,

    Freudi

  3. Well, I really "love" the double linebreaks here in the Comments section :-/

    Should read:

    —8<—

    REGEDIT4

    [HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{88d969c5-f192-11d4-a65f-0040963251e5}]

    "Compatibility Flags"=dword:00000400

    —>8—

    Hope it works this time (no blank line between —8<— and REGEDIT4 and no one between [HKEY_LOCAL_MACHINE…] and "Compatibility Flags")

    Sorry,

    Freudi

  4. a programmer says:

    This will cause a lot of problems for our applications….

  5. Brian says:

    Why then is Microsoft continuing to support MSXML 3?  Isn’t that even more unsecure than MSXML 4?

  6. Aedrin says:

    "Why then is Microsoft continuing to support MSXML 3?  Isn’t that even more unsecure than MSXML 4?"

    The way I read it, MSXML3 is a very basic set of XML tools that is used often as a base for other tools.

    "This will cause a lot of problems for our applications…."

    Sounds like you need a better software architect then 😉

  7. Richard Wilson says:

    As my namesake might say "I don’t believe it!"

    I can understand moving things forward, but why force everyone by releasing the killbit?

    Especially as v6 won’t run on 98!

    So… to be compatible with 98 we are going to have to detect the OS and load a different XML object.

    Oh joy!

  8. Aedrin says:

    "to be compatible with 98"

    What are you doing to support Windows 3.1?

  9. EricLaw [MSFT] says:

    @Richard Wilson: Is your application running inside Internet Explorer?  If not, does it check the killbit itself?  If not, then your application will not be affected.

  10. cas says:

    I hope you’ll block all MSXML requests installations from IE7, because many sites try to install a MSXML SPx for something, but this is not safe, becase how can know an user if is really needed and safe? All these activex requestes generate confusion from IE users.

    I hope for next IE8 you create a new way to handle the activex components, i.e. I’d like having the possibility to choose which particular activex I want to run i.e. having a list and deny all others. For example I want disable activex for all, except flash activex plug-in.

  11. AC says:

    @cas

    "I’d like having the possibility to choose which particular activex I want to run i.e. having a list and deny all others. For example I want disable activex for all, except flash activex plug-in. "

    You mean like "Manage Add-ons"? Which has a list of Active X components you can "Enabled" and "Disable" as you see fit?

    Otherwise, if you don’t want to run the component, don’t elect to install it when it asks you.

  12. MSXML4 is very unsecure, i think we should be able to have a choice whether or not to disable and enable it

    Most IE7 MSXML4 are disabled in my IE7 now but hopefully in a later date all goes well

  13. PatriotB says:

    "I can understand moving things forward, but why force everyone by releasing the killbit?

    Especially as v6 won’t run on 98!

    So… to be compatible with 98 we are going to have to detect the OS and load a different XML object."

    98 doesn’t get any more security updates, so it will never get this killbit.  Probably the best thing to do is try to instantiate V6, and if that fails instantiate V4.

  14. Ravindra says:

    I am struggling to understand "After the kill bit, web applications will not be able to create MSXML4 objects in the browser. Applications which are not kill-bit aware will continue to work with MSXML4. ".

    We have certain COM components that use MSXML parser. These COM components are used in both desktop and web application.

    Are we affected?

    By "in browser" do you mean the client side of web applications?

    How can I figure out that my application is kill-bit aware?

    Forgive me if I sound naive. I sound naive because … :-)

  15. Bit says:

    "How can I figure out that my application is kill-bit aware?"

    Set the kill bit in the registry as described in a previous comment on a test machine and then TEST your application.

  16. Mark says:

    Are there any add-ons for IE7, that will enable the user to right-click on a frame/iframe, and open the URL in a new window or tab?

    This is a huge disappointment in trying to debug/develop in IE.

  17. PatriotB says:

    Ravindra, the kill bits only take affect when MSXML is being instantiated via:

    1. obj = new ActiveXObject("[whatever the progid of MSXML4 is]");

    2. <object classid="clsid:[whatever the clsid of MSXML 4 is]">

    If you have your own COM object that creates MSXML4 directly (e.g. via CoCreateInstance), it shouldn’t be affected by the killbit, even when your object is used in IE.

  18. haveing many problems with this version

  19. Ben says:

    Ok i got Window Vista that you said included MSXML6. Why did Window Update in Vista installed MSXML 4.0 SP2 Security Update (KB927978) and MSXML 4.0 SP2 Security Update (KB925672)If i already have MSXML 6 which is the latest version in Windows Vista? Did Window Update make a mistake on giving me this MSXML 4.0 sp2 updates?Should i remove this? or is this needed for Window Live Onecare? It’s kind of weird that it would offer me a MSXML 4.0 sp2 if i have Vista with MSXML6 already.

  20. Still Waiting on a public notice says:

    Re: "So, any word on when the AU killing user set defaults for Web Browser and Email Client are going to be fixed?

    Was this a one time issue? or is this going to continue occurring?

    And yes, I can verify that it messed up my settings too.  Although this was the first time that it took over my default browser."

    Ok, its been at least a few days, if not a week already!  What’s the deal with this?  Is MS going to post something indicating that this disturbing and monopolistic behavior is going to stop?

    (((For those that think we’re all whining, relax, we’ve just seen how these "small" infractions of responsibility turn into a nightmare. (Psst, ever try and buy a PC without Windows?  Even if you install Linux, or BSD, you are still paying MS for software you don’t need or want.)))

    So can we please get a statement that this isn’t going to happen again?

    Getting Tired Of It.

  21. helixapp says:

    many applications use MSXML4…

  22. ron says:

    That will cause lots of problem.

  23. Aedrin says:

    "Is MS going to post something indicating that this disturbing and monopolistic behavior is going to stop?"

    I don’t know, but I want to know when this disturbing behaviour of calling Microsoft a monopoly will stop.

    Monopoly. Mono means single. Is Microsoft the only OS provider? Err, Linux, OSX, etc. Doesn’t sound like it is.

    Ever considered that the alternatives aren’t great either? Otherwise people would’ve switched already.

    "Psst, ever try and buy a PC without Windows?  Even if you install Linux, or BSD, you are still paying MS for software you don’t need or want"

    People can get their money back if they don’t want Windows. So you are wrong.

  24. EricLaw [MSFT] says:

    @Still Waiting: As previously noted, for Outlook, please see http://support.microsoft.com/?kbid=933450

    For IE, we are not aware of any such issue. IE should never become the default unless you manually configure it to be so.

  25. steve_web says:

    @Eric Law, re: the IE7 being set as default browser.

    There WERE SEVERAL VALIDATED accounts across the web where this was happening, many linked to on this very blog.

    Also as mentioned, the "Workaround" for the Outlook issue is NOT ACCEPTABLE in the long term, this needs fixing, and needs fixing BEFORE the next round of AU. (I believe I read a very simple fix (for MS) for this posted here also)

    As for the IE override, I can assure you, it most certainly did happen, I was one of the folks that got hit by this, and I was NOT amused.

  26. steve_web says:

    @Aedrin, "People can get their money back if they don’t want Windows"

    Wow, I must have missed this press release!

    So, If I go to Dell/BestBuy/?… buy a PC, (which comes pre-loaded with OEM MS Windows), I can call Microsoft and say, "thanks, but no thanks", and I can get my money back?

    This is certainly news to me!

    …..

    As for the "monopoly", mono does equal one.  What was being complained about, was how "one" software developer (Microsoft), was (intentionally/or inadvertantly) "choosing" their software, over the other "competitve" software during an Automatic Update (which occurs in Windows)

    Now, AFAIK, the bug in the update, was unintentional… however the delay in fixing it (outlook updates), and the delay in apologizing for it/indicating the error was caught and fixed (IE updates) is what is making people wonder.

    In future, if every time an update comes out for MS Office, it wipes my email client out from being the installed default, then I’m going to be inclined to DECLINE the updates, because the hassle is too much.  Likewise, if this was the first time IE was going to reset defaults (of many), then I will be DECLINING those updates too, as will others, and thus the security of the platform (wherever else used in windows) will suffer from lack of security.

    We (the rest of the Windows Internet users), don’t really care how or why it happened, but it has gone on too long, and now appears to be escalating, thus we want it fixed, and fixed soon.

    steve

  27. onu says:

    Seems like (almost) everyone complaining about this change is not familiar enough with MSXML.  Please read the MSXML Team’s blog entry which the IE Team has already linked to, and summarized, in their post:

    http://blogs.msdn.com/xmlteam/archive/2006/10/23/using-the-right-version-of-msxml-in-internet-explorer.aspx

    Moral of the story: Do your homework on proprietary libraries before you base an application/website on them.

  28. AC says:

    "So, If I go to Dell/BestBuy/?… buy a PC, (which comes pre-loaded with OEM MS Windows), I can call Microsoft and say, "thanks, but no thanks", and I can get my money back?

    This is certainly news to me!"

    Yes, you can. I have done it myself. I find it curious that you can rail against this blog, but are unable to pick up a phone and find this out by attempting it.

  29. steve_web says:

    @AC, I don’t think I was "rail"ing against this blog, but I was not aware that one could ask for a refund on OEM installed Windows.  I’m very surprised this is possible… I’d be a few thousand richer by now, had I konwn this earlier.

    As for the "rail", I pressume you are referring to my statements about AU?  As odd as it may seem, this is the one channel with MS that I have seen the most feedback from, thus sometimes the "squeeky wheel" is the only way to be heard.

    It was this blog, that got all the feedback on IE7+, to the point that MS backed out of incorrectly naming the Vista version of IE7.. and since IE is a part of windows, part of Outlook, etc. Communication between the IE team, and the rest of Microsoft would suggest that if the AU team, is doing something, that needs fixing, and the only voice being heard is from the team that "builds that engine", then they will be heard.. which is a lot more than can be said for the newsgroups… that don’t seem to be read by developers at MS.

  30. xtysonialan says:

    let it be configure immediately

  31. let it be configure immediately

  32. Aedrin says:

    "As for the "monopoly", mono does equal one.  What was being complained about, was how "one" software developer (Microsoft), was (intentionally/or inadvertantly) "choosing" their software, over the other "competitve" software during an Automatic Update (which occurs in Windows)"

    Wow, a company wants you to use their products. The shame in it all.

    Might I remind everyone that this is not World War 3, this is a changing of defaults. You know, as in something that takes a few seconds to fix. Nothing is broken.

    I understand it was not intentional by them, so it’s even less of an issue (in my opinion).

    No one forces you to download the update. No one forces you to use Windows.

    Seeing a pattern?

  33. ash says:

    @steve_web

    "WERE SEVERAL VALIDATED "

    Please don’t yell, it’s rude.

    "I’d be a few thousand richer by now"

    That is just too dumb for words.

    "As odd as it may seem, this is the one channel with MS that I have seen the most feedback from"

    Yeah – and with all the negative commentary here, you’d feel right at home.

    "It was this blog, that got all the feedback on IE7+, to the point that MS backed out of incorrectly naming the Vista version of IE7.. and since IE is a "

    Grow up man, this is such a minor issue it’s laughable.  The versions do behave differently on both platforms, so IE+ was one way to distinguish this.  If it helped people move to a more secure Vista, then I was all for it.

    "and the delay in apologizing for it/indicating the error was caught and fixed (IE updates) is what is making people wonder"

    What people?  All one of you?  You have your head firmly buried in the sand if you think MS devs would intentionally uninstall a competitor’s software.  

  34. Fduch says:

    THE SKY IS PINK

    EVERYTHING IS SO BEAUTIFUL

    MS IS LIKE A LAMB

    I SO MUCH AGREE WITH YOU PALADINS OF LIGHT ( AEDRIN AND ASH )

    I LAUGH AT EVERYTHING

    BUGS ARE NOT BUGS SO I LAUGH

    BUT I’S BE TRED AFTER LAUGHING 1800 TIMES

  35. Matt says:

    How do i know if i need MSXML4 any more? I have MSXML 6. MSXML 4.0 SP2 Security Update (KB927978) and MSXML 4.0 SP2 Security Update (KB925672) are both on my pc and i have no clue if i need them now.I am going to uninstall them to check.

  36. hAl says:

    @steve_web

    The issue with Firefox not being deteted as the default browser was actually caused by an update by firefox and not by an update of IE.

    See:

    http://www.zoliblog.com/blog/_archives/2007/3/26/2836828.html