Condividi tramite

MSXML4 to be Disabled in Late 2007

  • Articolo

Jeremy Dallman here with some important information from the MSXML team to the IE development community. The XML Team’s Blog has recently announced that they will be issuing a kill-bit for MSXML4 at the end of 2007 (October-December timeframe). Please read through the below post copied from the XML Team’s Blog and start validating your applications against MSXML6.

They have provided an email address to field your questions or concerns. Please don’t hesitate to contact them with your feedback.

Jeremy Dallman
Program Manager
                                                          

[from the MSXML Blog]

As a part of our MSXML4 End of Life plan , we are going to kill bit MSXML4 in the October – December timeframe of this year . This kill bit applies to Internet Explorer only. After the kill bit, web applications will not be able to create MSXML4 objects in the browser. Applications which are not kill-bit aware will continue to work with MSXML4.

We are announcing this in advance so that our customers get sufficient time to try their applications with MSXML6 and give us feedback on their experience.  Please email us at msxml4@microsoft.com  with feedback/questions/concerns.

Why:

We are going to kill-bit MSXML4 to ensure a secure browsing experience for our customers. We are planning to also remove MSXML4 from the Download Center page within the next 12 months. Support for MSXML4 going forward will be restricted to high impact security issues only.

MSXML6 is the latest version available to MSXML customers today. This is where all the functionality, performance and security improvements are going in. In addition MSXML6 provides improved W3C compliance and increased compatibility with System.XML in .Net. The recommendation for MSXML customers is to program using MSXML6 and upgrade apps using older versions to MSXML6.

We strongly encourage everyone to start using MSXML6 SP1. MSXML6 SP1 is now available for all supported down-level platforms and can be downloaded from https://www.microsoft.com/downloads/details.aspx?FamilyID=d21c292c-368b-4ce1-9dab-3e9827b70604&displaylang=en

MSXML Supported Versions:

We addressed this in a blog entry https://blogs.msdn.com/xmlteam/archive/2006/10/23/using-the-right-version-of-msxml-in-internet-explorer.aspx

The  summary is:

MSXML6  - Should be your first choice. This is the MSXML version that will be carried forward. MSXML6 shipped with Vista and we are working on getting this in downlevel OS Service Packs

MSXML3 – This has the advantage of having shipped with every supported OS .We are committed to keeping MSXML3 robust and stable but won’t be adding any functional improvements.

MSXML4  - This is in maintenance mode with a very high bar for fixes approaching End of Life.

MSXML 5 –  Exclusively meant for Office. Do not take any dependencies on it.

MSXML4 & 6 Differences and Compatibility:

Key changes introduced between MSXML4 and MSXML6 and migration are described in the blog entry at https://blogs.msdn.com/xmlteam/archive/2007/03/12/upgrading-to-msxml-6-0.aspx

Summary:

We believe this is the best plan for MSXML customers going forward – avoids confusion regarding multiple versions, ensures a safe browsing experience when using MSXML and provides a path to use future functional improvements . If you run into issues with the migration or have questions/feedback feel free to contact us at msxml4@microsoft.com . All of the MSXML team is on this alias eager to hear your feedback and assist with the migration.

Comments

  • Anonymous
    March 21, 2007
    Is there a way to disable MS XML 4 already now?

  • Anonymous
    March 21, 2007
    Hi Jorrit, setting the killbit manually should work: ---8<--- REGEDIT4 [HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{88d969c5-f192-11d4-a65f-0040963251e5}] "Compatibility Flags"=dword:00000400 --->8--- See also http://www.microsoft.com/technet/security/bulletin/MS06-071.mspx and there under "Vulnerability Details -> Worarounds for Microsoft XML Core Services Vulnerability" HTH, Freudi

  • Anonymous
    March 21, 2007
    The comment has been removed

  • Anonymous
    March 22, 2007
    This will cause a lot of problems for our applications....

  • Anonymous
    March 22, 2007
    Why then is Microsoft continuing to support MSXML 3?  Isn't that even more unsecure than MSXML 4?

  • Anonymous
    March 22, 2007
    "Why then is Microsoft continuing to support MSXML 3?  Isn't that even more unsecure than MSXML 4?" The way I read it, MSXML3 is a very basic set of XML tools that is used often as a base for other tools. "This will cause a lot of problems for our applications...." Sounds like you need a better software architect then ;)

  • Anonymous
    March 22, 2007
    As my namesake might say "I don't believe it!" I can understand moving things forward, but why force everyone by releasing the killbit? Especially as v6 won't run on 98! So... to be compatible with 98 we are going to have to detect the OS and load a different XML object. Oh joy!

  • Anonymous
    March 22, 2007
    "to be compatible with 98" What are you doing to support Windows 3.1?

  • Anonymous
    March 22, 2007
    The comment has been removed

  • Anonymous
    March 22, 2007
    The comment has been removed

  • Anonymous
    March 22, 2007
    The comment has been removed

  • Anonymous
    March 22, 2007
    MSXML4 is very unsecure, i think we should be able to have a choice whether or not to disable and enable it Most IE7 MSXML4 are disabled in my IE7 now but hopefully in a later date all goes well

  • Anonymous
    March 22, 2007
    "I can understand moving things forward, but why force everyone by releasing the killbit? Especially as v6 won't run on 98! So... to be compatible with 98 we are going to have to detect the OS and load a different XML object." 98 doesn't get any more security updates, so it will never get this killbit.  Probably the best thing to do is try to instantiate V6, and if that fails instantiate V4.

  • Anonymous
    March 22, 2007
    The comment has been removed

  • Anonymous
    March 22, 2007
    The comment has been removed

  • Anonymous
    March 23, 2007
    Are there any add-ons for IE7, that will enable the user to right-click on a frame/iframe, and open the URL in a new window or tab? This is a huge disappointment in trying to debug/develop in IE.

  • Anonymous
    March 24, 2007
    The comment has been removed

  • Anonymous
    March 25, 2007
    haveing many problems with this version

  • Anonymous
    March 25, 2007
    Ok i got Window Vista that you said included MSXML6. Why did Window Update in Vista installed MSXML 4.0 SP2 Security Update (KB927978) and MSXML 4.0 SP2 Security Update (KB925672)If i already have MSXML 6 which is the latest version in Windows Vista? Did Window Update make a mistake on giving me this MSXML 4.0 sp2 updates?Should i remove this? or is this needed for Window Live Onecare? It's kind of weird that it would offer me a MSXML 4.0 sp2 if i have Vista with MSXML6 already.

  • Anonymous
    March 25, 2007
    Re: "So, any word on when the AU killing user set defaults for Web Browser and Email Client are going to be fixed? Was this a one time issue? or is this going to continue occurring? And yes, I can verify that it messed up my settings too.  Although this was the first time that it took over my default browser." Ok, its been at least a few days, if not a week already!  What's the deal with this?  Is MS going to post something indicating that this disturbing and monopolistic behavior is going to stop? (((For those that think we're all whining, relax, we've just seen how these "small" infractions of responsibility turn into a nightmare. (Psst, ever try and buy a PC without Windows?  Even if you install Linux, or BSD, you are still paying MS for software you don't need or want.))) So can we please get a statement that this isn't going to happen again? -- Getting Tired Of It.

  • Anonymous
    March 25, 2007
    many applications use MSXML4...

  • Anonymous
    March 26, 2007
    That will cause lots of problem.

  • Anonymous
    March 26, 2007
    "Is MS going to post something indicating that this disturbing and monopolistic behavior is going to stop?" I don't know, but I want to know when this disturbing behaviour of calling Microsoft a monopoly will stop. Monopoly. Mono means single. Is Microsoft the only OS provider? Err, Linux, OSX, etc. Doesn't sound like it is. Ever considered that the alternatives aren't great either? Otherwise people would've switched already. "Psst, ever try and buy a PC without Windows?  Even if you install Linux, or BSD, you are still paying MS for software you don't need or want" People can get their money back if they don't want Windows. So you are wrong.

  • Anonymous
    March 26, 2007
    @Still Waiting: As previously noted, for Outlook, please see http://support.microsoft.com/?kbid=933450 For IE, we are not aware of any such issue. IE should never become the default unless you manually configure it to be so.

  • Anonymous
    March 27, 2007
    @Eric Law, re: the IE7 being set as default browser. There WERE SEVERAL VALIDATED accounts across the web where this was happening, many linked to on this very blog. Also as mentioned, the "Workaround" for the Outlook issue is NOT ACCEPTABLE in the long term, this needs fixing, and needs fixing BEFORE the next round of AU. (I believe I read a very simple fix (for MS) for this posted here also) As for the IE override, I can assure you, it most certainly did happen, I was one of the folks that got hit by this, and I was NOT amused.

  • Anonymous
    March 27, 2007
    @Aedrin, "People can get their money back if they don't want Windows" Wow, I must have missed this press release! So, If I go to Dell/BestBuy/?... buy a PC, (which comes pre-loaded with OEM MS Windows), I can call Microsoft and say, "thanks, but no thanks", and I can get my money back? This is certainly news to me! ..... As for the "monopoly", mono does equal one.  What was being complained about, was how "one" software developer (Microsoft), was (intentionally/or inadvertantly) "choosing" their software, over the other "competitve" software during an Automatic Update (which occurs in Windows) Now, AFAIK, the bug in the update, was unintentional... however the delay in fixing it (outlook updates), and the delay in apologizing for it/indicating the error was caught and fixed (IE updates) is what is making people wonder. In future, if every time an update comes out for MS Office, it wipes my email client out from being the installed default, then I'm going to be inclined to DECLINE the updates, because the hassle is too much.  Likewise, if this was the first time IE was going to reset defaults (of many), then I will be DECLINING those updates too, as will others, and thus the security of the platform (wherever else used in windows) will suffer from lack of security. We (the rest of the Windows Internet users), don't really care how or why it happened, but it has gone on too long, and now appears to be escalating, thus we want it fixed, and fixed soon. steve

  • Anonymous
    March 27, 2007
    Seems like (almost) everyone complaining about this change is not familiar enough with MSXML.  Please read the MSXML Team's blog entry which the IE Team has already linked to, and summarized, in their post: http://blogs.msdn.com/xmlteam/archive/2006/10/23/using-the-right-version-of-msxml-in-internet-explorer.aspx Moral of the story: Do your homework on proprietary libraries before you base an application/website on them.

  • Anonymous
    March 27, 2007
    "So, If I go to Dell/BestBuy/?... buy a PC, (which comes pre-loaded with OEM MS Windows), I can call Microsoft and say, "thanks, but no thanks", and I can get my money back? This is certainly news to me!" Yes, you can. I have done it myself. I find it curious that you can rail against this blog, but are unable to pick up a phone and find this out by attempting it.

  • Anonymous
    March 27, 2007
    The comment has been removed

  • Anonymous
    March 27, 2007
    10,000+ users affected by browser default switch: http://www.zoliblog.com/blog/_archives/2007/3/18/2816581.html http://reddit.com/info/1ap2h/comments

  • Anonymous
    March 27, 2007
    let it be configure immediately

  • Anonymous
    March 27, 2007
    let it be configure immediately

  • Anonymous
    March 28, 2007
    "As for the "monopoly", mono does equal one.  What was being complained about, was how "one" software developer (Microsoft), was (intentionally/or inadvertantly) "choosing" their software, over the other "competitve" software during an Automatic Update (which occurs in Windows)" Wow, a company wants you to use their products. The shame in it all. Might I remind everyone that this is not World War 3, this is a changing of defaults. You know, as in something that takes a few seconds to fix. Nothing is broken. I understand it was not intentional by them, so it's even less of an issue (in my opinion). No one forces you to download the update. No one forces you to use Windows. Seeing a pattern?

  • Anonymous
    March 28, 2007
    The comment has been removed

  • Anonymous
    March 31, 2007
    THE SKY IS PINK EVERYTHING IS SO BEAUTIFUL MS IS LIKE A LAMB I SO MUCH AGREE WITH YOU PALADINS OF LIGHT ( AEDRIN AND ASH ) I LAUGH AT EVERYTHING BUGS ARE NOT BUGS SO I LAUGH BUT I'S BE TRED AFTER LAUGHING 1800 TIMES

  • Anonymous
    April 01, 2007
    How do i know if i need MSXML4 any more? I have MSXML 6. MSXML 4.0 SP2 Security Update (KB927978) and MSXML 4.0 SP2 Security Update (KB925672) are both on my pc and i have no clue if i need them now.I am going to uninstall them to check.

  • Anonymous
    April 02, 2007
    @steve_web The issue with Firefox not being deteted as the default browser was actually caused by an update by firefox and not by an update of IE. See: http://www.zoliblog.com/blog/_archives/2007/3/26/2836828.html