MSXML – 5 steps to stay protected

Today Microsoft provided nine bulletin updates, as described in July’s Security Bulletin Summary. This post is going to focus on the first of the issues described in the above summary – Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution.

Step 1 – Be informed

MS12-043 describes the security update that resolves a publicly disclosed vulnerability in Microsoft XML Core Services. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.

This security update is rated Critical for Microsoft XML Core Services 3.0, 4.0, and 6.0 on all supported editions of Windows; it is also rated Critical for Microsoft XML Core Services 5.0 for all supported editions of Microsoft Office 2003 and 2007. Office 2010 is not affected.

For more detailed information about the vulnerability, the affected software and the mitigations and workarounds available, please refer to the security bulletin (

Step 2 – Install the Update

As stated in our previous MSXML post, we are already aware of targeted attacks exploiting of this vulnerability in Windows via Internet Explorer. We recommend installing the update as soon as possible in order to address this issue for Microsoft XML Core Services 3.0, 4.0, and 6.0.

If you have previously installed the Microsoft Fix it solution 50897, we recommend uninstalling it only after the update has been applied. To uninstall, please run Microsoft Fix it solution 50898.

Step 3 – Install the Fix it for MSXML 5

The security updates for Microsoft XML Core Services 5.0 are unavailable at this time. Microsoft will release the updates when testing is complete, in order to ensure a high degree of quality. In the meantime, customers running Microsoft Office 2003 or 2007 are encouraged to apply the automated Microsoft Fix it solution that blocks the attack vector for this vulnerability:

Apply Uninstall

The attacks Microsoft has seen do not target XML Core Services 5.0. In the default configurations of Internet Explorer 7, 8 and 9, an attack against XML Core Services 5.0 would require the user to manually enable the control by clicking the Allow button on the Internet Explorer gold bar:

Step 4 – Use EMET

We are recommending EMET as a potential mitigation for possible attacks attempting to exploit this vulnerability. The Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from successfully being exploited by applying the latest mitigations to applications configured in EMET.

MS12-043 fully protects customers from attempts to exploit the issue in MSXML versions 3.0, 4.0 and 6.0; EMET provides an excellent mitigation against attempts to reach the vulnerability in MSXML 5.0.

Step 5 – Browse safe

Last but not least, following good browsing practices can help you stay safer online:

 – Cristian Craioveanu, MSRC Engineering