Microsoft has issued a patch that restores Internet
Explorer's ability to handle certain types of web URLs which had
been banned by an emergency browser security patch earlier this
month.
The patch restores the ability to handle a type of HTTP URL
containing user authentication information such as user name and
password information. The patch was issued after web developers
reported problems because a critical security update, MS04-004,
disabled such URLs.
That patch was intended to plug a security hole that allowed
malicious hackers and online scam artists to mask the URL of a web
page by manipulating the way Explorer handles URLs containing user
credentials such as a user name and password.
The software update affects Microsoft XML Service Pack 2,
Service Pack 3 and Service Pack 4 and is available through a link
in Microsoft Knowledge Base Article 832414. (See:
http://support.microsoft.com/default.aspx?scid=kb;en-us;832414.)
Websites that use XMLHTTP calls along with URLs containing user
authentication information in the format
"username:password@host.com" will still be blocked by Explorer,
even after the latest patch has been applied, Microsoft said.
However, requests that use the XMLHTTP object and proper syntax
for breaking out user name and password information from the HTTP
URL will now work with browsers that have the patch applied.
Paul Roberts writes for IDG News Service