> It is very bad if you really think so. MSXML3 _with all up-to-date
> vulnerability fixes_ is rather secure. MSXML3 as it is on older IE6
> distribution packages is a big security risk.
> Without knowing exactly how a particular MSXML3 was installed and what
> updates were made you cannot just blindly state that "MSXML3 is more
> secure than X".

As to your point "MSXML3 as it is on older IE6 distribution packages is a 
big security risk"... When talking about this stuff, please understand that 
I mean *the lastest* avialable versions of MSXML3 - MSXML3sp7gdr, MSXML3sp8, 
and MSXML3sp9 (3sp8 and 3sp9 are Windows Server 2003 SP2, and Vista 
releases, respectively)  -- MSXML3sp7gdr was distributed to all downlevel 
Windows machines in the last several months, please see MS06-061 and 
MS06-071 for information on these recent MSXML updates.

If you machine is not actively patched using Windows update, then your 
MSXML3 story may be different. This is the end user and admins 
responsibilty, however. MSXML3sp5 was the last version of MSXML3 shipped 
ubiquitously on Windows XPSP2. MSXML3sp7 was shippined on Windows 2003 Sp1 
Both these releases are more secure than MSXML4sp2.

>> You should never use MSXML5. Period.
>> You should avoid MSXML4. Period.
>
> If one has a choice to use either MSXML4 or MSXML3 then choose MSXML4.
> Period.
> Also with several MSXML libraries installed MSXML3 may get unavailable
> after updating MSXML4, so the choice will be eliminated by itself.

This is wrong advice. Personally I don't care what your field experience 
lead you to believe up until this week, the MSXML4 product is nearing its 
End Of Life and my team is aggressivly pursuing a plan to phase it 
completely out of use in a very short time frame. Recommending someone use 
MSXML4 over MSXML3 is irresponsible and uninformed.

> 2) We don't know what ProgID to use w/o fail. 6? 4? 3?
> On IE situation gets even more complicated because both JScript and
> MSXML are not build into browser but they are rather independent DLLs.

XmlHttpRequest is now natively supported by IE, actually.

> All that makes possible situations when say IE 6.0 SP1 on Windows 2000
> is running JScript 5.1 instead of 5.6 with just-installed MSXML4
> security update that made unavailable the default MSXML3. That is not a
> mind game: that is just one of practical situations - and not even out
> of the most complicated ones - in my support history.

Thats intersting.

> As we do agree that MSXML6 is up-to-date the best choice, we'll try
> first this library. If no luck then we will try consecutively all other
> libraries from top to bottom. Jumping from MSXML6 right onto MSXML3 is
> not an option: as it was explained earlier it can be Windows 98
> SE/Windows 2000 platform with MSXML4 update so MSXML3 unavailable. Thus
> by going from 6 right to 3 you are cutting off without any reason some
> part of potential users.

You have to realize that while your current line of argument may be true, it 
is not relevant. The OS and security and Web landscape has moved along quite 
a  bit since the bad old days of Windows 9x, and anyone runing these OSs on 
the Internet has much much larger problems than their version of MSXML. But, 
just briefly, lets address your points: Win95 and Win98 are long out of 
support now. Windows NT 4 is as well, except for large shop CSAs that get 
special support from my group and others. Talking about these platfoms in 
the context of security and development is like talking about ...we'll VAX 
or Lisa, or something inane. The first relevant platform we could 
legitimately address in the MSXML context is Windows 2000 sp4, which is the 
only version of Windows 2000 still in support. If you are REALLY doing web 
development for Win9x, then I suggest you update your scripts and if you are 
getting hit by an OS verson thats older than NT5, do your client and 
yourself a favor and serve them some static content.

> P.S. Here is it, Your Majesty. Our trip to the real world is finished,
> I'm leaving you in front of the gates of Versailles :-)

Thanks that was a nice tour! Wheres the cake??