KB832894 is now live at Windows Update


I recommend everyone visit Windows Update and install this patch.  Here is the security bulletin containing technical information about the patch.  I will summarize it for you.


This patch fixes a cross domain vulnerability that could allow LMZ script execution (this is the Back button JScript vulnerability).  This patch fixes the DHTML drag-drop file download vulnerability (save arbitrary code to your machine, but not execute it).  This patch fixes an url parsing bug that could be exploited to show an url in the address bar that is different from where you actually are.


And one last important change:


This Internet Explorer cumulative update also includes a change to the functionality of a Basic Authentication feature in Internet Explorer. The update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software update:


http(s)://username:password@server/resource.ext


For more information about this change, please see Microsoft Knowledge Base article 834489.

Comments (31)

  1. Phil Scott says:

    Hey Jeff, I’m not sure if you can answer this or not. My webhost will kick me out for trying to ftp without specifying a username in the url ala the @ sign. This patch is going to force me to use WS_FTP or something, won’t it?

    And on a semi-related note, what about the two page at a time scroll bug. It is DRIVING ME CRAZY.

  2. Mike Dimmick says:

    Phil: according to the KB article (which I read last week), this change does NOT affect FTP. Only HTTP and HTTPS.

    As someone pointed out somewhere else (sorry it’s vague, I read a lot of sites – I think it was Daniel Turini in CodeProject’s Lounge) HTTP URLs have never officially supported this syntax anyway; I think it was originally a Mosaic extension.

  3. jeffdav says:

    Phil– I have been told this fix does indeed fix the scrolling bug. I have not personally verified this, however, because I never experianced that bug.

    Mike– You are correct. This should only effect HTTP and HTTPS.

  4. Major critical IE update available from Windows Update. Go to Windows Update now – you need this even if you primarily use another browser.

  5. xymon says:

    oy. Seems this update also kills all your stored http passwords, at least under win2k…

  6. Marc says:

    Since I installed that patch on a Windows NT server, my server can not access Internet anymore. Did anybody experience that ?

  7. BSJ says:

    How do I uninstall this patch again from XP?

    This ‘solution’ just plain sucks!

    I am dependent on very much username/passwords and delete cookies etc. alot and I do not want to enter like 25 passwords every day over and over again

  8. BSJ says:

    too early with my comments, there is a way to disable it again 🙂

    http://support.microsoft.com/default.aspx?scid=kb;en-us;834489

  9. JWG says:

    Running Win 2000. Downloaded the KB832894 patch. When rebooted won’t install. Now I get Disk Boot Failure, Insert System Disk & Press Enter. Will only boot with CD. Did this happen to anybody else? I tried everything I know to fix it without success. Any solutions greatly needed.

  10. MWD says:

    Can anyone confirm whether this fixes the scrolling bug for them?

  11. Julian says:

    This is an annoying update. The username:password url syntax is a really important feature for Internet Explorer.

    It is a massive mistake if MS don’t reinstate this feature.

  12. Alex Dean says:

    Odd behvior started on my web application yesterday, and I’m wondering if this could be related. All these users are using IE6. I can’t replicate the error in IE5.5 or Mozilla, so I’m thinking it must be browser-dependent.

    Clients using IE were submitting forms to the server via POST, but the server was receiving a POST with no contents at all. The error messages I get have a correct referrer (the form page they submitted), a correct content-type (application/x-www-form-urlencoded), a correct request-type (POST) – but no POST values are actually being received by the server.

    Could this new patch be to blame, if my users have set up IE to automatically download patches/updates?

    thanks.

  13. jeffdav says:

    Alex: Can you provide a link to the page that is reproducing the problem and other information about your server environment? Feel free to e-mail me if you would rather not have that info be public.

  14. jeffdav says:

    All: Please see http://weblogs.asp.net/michael_Howard/archive/2004/02/04/67622.aspx for a more in-depth explination of our decision to remove the http://username:password@url syntax from IE.

  15. Brian says:

    After installing the Update both my CDRW and DVDRW drives disappeared? Bizzare.

  16. firpo says:

    After this patch installed, any link I click on that opens in a new window comes up with a blank page. I have to manually type the address in to go to that link. This happens in IE6 and MSN8.

  17. ace says:

    This patch has hosed our https log ons. We are not able to log on but once i uninstalled this update we were good to go. Any ideas what might be causing this?

    ace

  18. nonafish says:

    This patch killed access to all my Quattro spreadsheet files. It was hidden from the uninstall program so I used the restore function to bypass it.

  19. Darqvenco says:

    After installing patch Q832894 we have several computer here that experience problems opening certain webpages…. blank pages appear, Object Expected errors on pages. The Knowledgebase from Microsoft have dropdown menu’s that are empty.

  20. jeffdav says:

    For those of you having problems with POST data after installing this patch, there is a fix at the MS Download Center. Here is the link:

    http://www.microsoft.com/downloads/details.aspx?FamilyId=254EB128-5053-48A7-8526-BD38215C74B2&displaylang=en

  21. Chad says:

    Please note that to remove the patch you need to look for Internet Explorer 832894, which is in a different location that all the other hotfixes.

  22. Travis says:

    I too am now missing POST data. At first I thought this may have been an issue with a missing compact policy (p3p) but when I reinstalled IE 6 (6.0.2800.1106) without the latest patch, Q832894, it worked fine. The moment I installed this patch, POST data would not be received unless you manually refresh the page. It will not work if you instruct the HTML to do a meta refresh. The client must initiate it. So what am I supposed to tell my clients? That due to this new "feature" on Microsoft’s end, that you will not be able to purchase anything from this shopping cart unless you remove the Q832894 patch? So now we must play the roll of technical support, to deal with a problem generated by Microsoft.

    No problem in Mozilla/Netscape/Opera. Unfortunately, IE is the choice of the majority.

  23. Travis says:

    Just as an addendum to my previous post, this seems to be a problem over a HTTPS (SSL) connection moreso than standard HTTP, but who is going to use a shopping cart that has not been secured?

  24. jeffdav says:

    Travis: This was an unfortuante bug in that security update. It only happens under "specific server conditions." I did not work on the resolution, so I do not know the details.

    There is a fix posted for this, as well as some other technical information at http://www.microsoft.com/downloads/details.aspx?FamilyId=254EB128-5053-48A7-8526-BD38215C74B2&displaylang=en.

  25. Adam says:

    After installing this patch any sites opened using the "Open in New Window" feature do not do anything. No additional windows are opened. This also occures on webpages that have links that execute new windows. And I noticed it is happening in Outlook Express when you click a link and it attempts to open it in an external window.

  26. Rajeev R says:

    Hi,

    I tried to update windows using the Windows Update, but the security Update for IE6 Service Pack 1 (KB832894) not getting installed.

    When i select this update it shows its downloading the update and installing. After installation it shows that the update is installed succesfully. But after restarting the PC and again do an update, it shows that the same update (Security Update for IE6 Service Pack 1 (KB832894)), not installed.

    I tried updating the same more than 7 times, but after restarting the PC and run the Windows Update again it shows the update is not installed. What I have to check/do to get this update installed?

    My IE’ about box shows the version as MS Internet Explorer 5, but in a small label in the about box shows the version number as 6.0.2800.1106. Its quite confusing? One label shows IE 5 and another label in the same screen shows 6.0.2800.1106. The Update version in the about box is displayed as ;SP1;Q837009.

    Can anyone help me to get this update installed?

  27. sr says:

    I’ve downloaded this patch from msn but each time i check updates and scan my pc, the same patch comes up again listed as critical update

  28. Jeremy says:

    I’m having the same problem as listed above – after I install the patch and then reboot, the patch no longer appears to be installed. Any help on resolving this issue would be appreciated.