Virtual PC 2007 (SP1) silently installs vulnerable MSXML6

Giganews Newsgroups
Subject: Virtual PC 2007 (SP1) silently installs vulnerable MSXML6
Posted by:  Stefan Kanthak (postmast…@[127.0.0.1])
Date: Fri, 16 May 2008

Hi @ll,

one more chapter in the book "How Microsoft lives Trustworthy
Computing". NOT!

Yesterday the "Virtual PC 2007 Service Pack 1" was published on the
Microsoft Download Center.
The SETUP.EXE (32 bit) available for download there contains but an
outdated and vulnerable MSXML6 (msxml6-KB927977-enu-x86.exe to be
precise; notice the ENU, even in the GERMAN SETUP.EXE).

This MSXML6 gets installed (in case no newer MSXML6 is already
present on the target system) WITHOUT ANY notice even before the
first MSI dialog of VPC is displayed, i.e. the users system is
altered even if s/he choses to abort the installation (or the
installation aborts itself, as is the case on Windows 2000).

Where has the QA department been sleeping lately?

Stefan

PS: "Virtual PC 2007" has the same error too.

Replies