MS14-005: Vulnerability in Microsoft XML Core Services could allow information disclosure: February 11, 2014

Applies to: Windows RT 8.1Windows 8.1Windows 8.1 Enterprise

Important This article contains information that describes how to lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, you should take any appropriate additional steps to help protect the computer.


Microsoft has released security bulletin MS14-005. To learn more about this security bulletin:

How to obtain help and support for this security update

Help installing updates:
Support for Microsoft Update

Security solutions for IT professionals:
TechNet Security Troubleshooting and Support

Help protect your Windows-based computer from viruses and malware: Virus Solution and Security Center

Local support according to your country:
International Support

More Information

More information about this security update

After you apply this security update, you may find that some webpages no longer render correctly in Internet Explorer. This behavior may occur if access is denied to the webpages because of cross-domain and zone policy settings. The MSXML-XMLHTTP component is used to determine the policy for cross-domain access across zones. For example, a trusted site can access data from a site in the Intranet zone, although the reverse is always denied. For more information, see About Native XMLHTTP. If you trust such webpages and want to view them, you can configure Internet Explorer to let you view the webpages. To do this, follow these steps:

Warning This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.
  1. In Internet Explorer, open Internet Options.
  2. Click the Security tab, and then click Internet.
  3. Click Custom level, and then, under Access Data sources across Domains in the Miscellaneous section, click to select Enable.


The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.