News

Microsoft fixes broken Explorer URL handling

Microsoft has issued a patch that restores Internet Explorer's ability to handle certain types of web URLs which had been banned by an emergency browser security patch earlier this month.

The patch restores the ability to handle a type of HTTP URL containing user authentication information such as user name and password information. The patch was issued after web developers reported problems because a critical security update, MS04-004, disabled such URLs.

That patch was intended to plug a security hole that allowed malicious hackers and online scam artists to mask the URL of a web page by manipulating the way Explorer handles URLs containing user credentials such as a user name and password.

The software update affects Microsoft XML Service Pack 2, Service Pack 3 and Service Pack 4 and is available through a link in Microsoft Knowledge Base Article 832414. (See: http://support.microsoft.com/default.aspx?scid=kb;en-us;832414.)

Websites that use XMLHTTP calls along with URLs containing user authentication information in the format "username:password@host.com" will still be blocked by Explorer, even after the latest patch has been applied, Microsoft said.

However, requests that use the XMLHTTP object and proper syntax for breaking out user name and password information from the HTTP URL will now work with browsers that have the patch applied.

Paul Roberts writes for IDG News Service


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy