KB832894 is now live at Windows Update
I recommend everyone visit Windows Update and install this patch. Here is the security bulletin containing technical information about the patch. I will summarize it for you.
This patch fixes a cross domain vulnerability that could allow LMZ script execution (this is the Back button JScript vulnerability). This patch fixes the DHTML drag-drop file download vulnerability (save arbitrary code to your machine, but not execute it). This patch fixes an url parsing bug that could be exploited to show an url in the address bar that is different from where you actually are.
And one last important change:
This Internet Explorer cumulative update also includes a change to the functionality of a Basic Authentication feature in Internet Explorer. The update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software update:
http(s)://username:password@server/resource.ext
For more information about this change, please see Microsoft Knowledge Base article 834489.
Comments
- Anonymous
February 02, 2004
The comment has been removed - Anonymous
February 02, 2004
Phil: according to the KB article (which I read last week), this change does NOT affect FTP. Only HTTP and HTTPS.
As someone pointed out somewhere else (sorry it's vague, I read a lot of sites - I think it was Daniel Turini in CodeProject's Lounge) HTTP URLs have never officially supported this syntax anyway; I think it was originally a Mosaic extension. - Anonymous
February 02, 2004
Phil-- I have been told this fix does indeed fix the scrolling bug. I have not personally verified this, however, because I never experianced that bug.
Mike-- You are correct. This should only effect HTTP and HTTPS. - Anonymous
February 02, 2004
Major critical IE update available from Windows Update. Go to Windows Update now - you need this even if you primarily use another browser. - Anonymous
February 03, 2004
oy. Seems this update also kills all your stored http passwords, at least under win2k... - Anonymous
February 03, 2004
Since I installed that patch on a Windows NT server, my server can not access Internet anymore. Did anybody experience that ? - Anonymous
February 03, 2004
The comment has been removed - Anonymous
February 03, 2004
too early with my comments, there is a way to disable it again :)
http://support.microsoft.com/default.aspx?scid=kb;en-us;834489 - Anonymous
February 04, 2004
Running Win 2000. Downloaded the KB832894 patch. When rebooted won't install. Now I get Disk Boot Failure, Insert System Disk & Press Enter. Will only boot with CD. Did this happen to anybody else? I tried everything I know to fix it without success. Any solutions greatly needed. - Anonymous
February 04, 2004
Can anyone confirm whether this fixes the scrolling bug for them? - Anonymous
February 04, 2004
This is an annoying update. The username:password url syntax is a really important feature for Internet Explorer.
It is a massive mistake if MS don't reinstate this feature. - Anonymous
February 04, 2004
Odd behvior started on my web application yesterday, and I'm wondering if this could be related. All these users are using IE6. I can't replicate the error in IE5.5 or Mozilla, so I'm thinking it must be browser-dependent.
Clients using IE were submitting forms to the server via POST, but the server was receiving a POST with no contents at all. The error messages I get have a correct referrer (the form page they submitted), a correct content-type (application/x-www-form-urlencoded), a correct request-type (POST) - but no POST values are actually being received by the server.
Could this new patch be to blame, if my users have set up IE to automatically download patches/updates?
thanks. - Anonymous
February 04, 2004
Alex: Can you provide a link to the page that is reproducing the problem and other information about your server environment? Feel free to e-mail me if you would rather not have that info be public. - Anonymous
February 04, 2004
All: Please see http://weblogs.asp.net/michael_Howard/archive/2004/02/04/67622.aspx for a more in-depth explination of our decision to remove the http://username:password@url syntax from IE. - Anonymous
February 04, 2004
After installing the Update both my CDRW and DVDRW drives disappeared? Bizzare. - Anonymous
February 04, 2004
After this patch installed, any link I click on that opens in a new window comes up with a blank page. I have to manually type the address in to go to that link. This happens in IE6 and MSN8. - Anonymous
February 04, 2004
This patch has hosed our https log ons. We are not able to log on but once i uninstalled this update we were good to go. Any ideas what might be causing this?
ace - Anonymous
February 07, 2004
This patch killed access to all my Quattro spreadsheet files. It was hidden from the uninstall program so I used the restore function to bypass it. - Anonymous
February 11, 2004
After installing patch Q832894 we have several computer here that experience problems opening certain webpages.... blank pages appear, Object Expected errors on pages. The Knowledgebase from Microsoft have dropdown menu's that are empty. - Anonymous
February 14, 2004
http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/02/13/7213.aspx
http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/02/13/7210.aspx - Anonymous
February 16, 2004
For those of you having problems with POST data after installing this patch, there is a fix at the MS Download Center. Here is the link:
http://www.microsoft.com/downloads/details.aspx?FamilyId=254EB128-5053-48A7-8526-BD38215C74B2&displaylang=en - Anonymous
March 10, 2004
Please note that to remove the patch you need to look for Internet Explorer 832894, which is in a different location that all the other hotfixes. - Anonymous
March 23, 2004
I too am now missing POST data. At first I thought this may have been an issue with a missing compact policy (p3p) but when I reinstalled IE 6 (6.0.2800.1106) without the latest patch, Q832894, it worked fine. The moment I installed this patch, POST data would not be received unless you manually refresh the page. It will not work if you instruct the HTML to do a meta refresh. The client must initiate it. So what am I supposed to tell my clients? That due to this new "feature" on Microsoft's end, that you will not be able to purchase anything from this shopping cart unless you remove the Q832894 patch? So now we must play the roll of technical support, to deal with a problem generated by Microsoft.
No problem in Mozilla/Netscape/Opera. Unfortunately, IE is the choice of the majority. - Anonymous
March 23, 2004
Just as an addendum to my previous post, this seems to be a problem over a HTTPS (SSL) connection moreso than standard HTTP, but who is going to use a shopping cart that has not been secured? - Anonymous
March 23, 2004
Travis: This was an unfortuante bug in that security update. It only happens under "specific server conditions." I did not work on the resolution, so I do not know the details.
There is a fix posted for this, as well as some other technical information at http://www.microsoft.com/downloads/details.aspx?FamilyId=254EB128-5053-48A7-8526-BD38215C74B2&displaylang=en. - Anonymous
June 04, 2004
The comment has been removed - Anonymous
July 11, 2004
The comment has been removed - Anonymous
July 15, 2004
I've downloaded this patch from msn but each time i check updates and scan my pc, the same patch comes up again listed as critical update - Anonymous
July 25, 2004
I'm having the same problem as listed above - after I install the patch and then reboot, the patch no longer appears to be installed. Any help on resolving this issue would be appreciated. - Anonymous
May 29, 2009
PingBack from http://paidsurveyshub.info/story.php?title=jeff-s-weblog-kb832894-is-now-live-at-windows-update