Freigeben über


KB832894 is now live at Windows Update

I recommend everyone visit Windows Update and install this patch. Here is the security bulletin containing technical information about the patch. I will summarize it for you.

This patch fixes a cross domain vulnerability that could allow LMZ script execution (this is the Back button JScript vulnerability). This patch fixes the DHTML drag-drop file download vulnerability (save arbitrary code to your machine, but not execute it). This patch fixes an url parsing bug that could be exploited to show an url in the address bar that is different from where you actually are.

And one last important change:

This Internet Explorer cumulative update also includes a change to the functionality of a Basic Authentication feature in Internet Explorer. The update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software update:

http(s)://username:password@server/resource.ext

For more information about this change, please see Microsoft Knowledge Base article 834489.

Comments

  • Anonymous
    February 02, 2004
    The comment has been removed
  • Anonymous
    February 02, 2004
    Phil: according to the KB article (which I read last week), this change does NOT affect FTP. Only HTTP and HTTPS.

    As someone pointed out somewhere else (sorry it's vague, I read a lot of sites - I think it was Daniel Turini in CodeProject's Lounge) HTTP URLs have never officially supported this syntax anyway; I think it was originally a Mosaic extension.
  • Anonymous
    February 02, 2004
    Phil-- I have been told this fix does indeed fix the scrolling bug. I have not personally verified this, however, because I never experianced that bug.

    Mike-- You are correct. This should only effect HTTP and HTTPS.
  • Anonymous
    February 02, 2004
    Major critical IE update available from Windows Update. Go to Windows Update now - you need this even if you primarily use another browser.
  • Anonymous
    February 03, 2004
    oy. Seems this update also kills all your stored http passwords, at least under win2k...
  • Anonymous
    February 03, 2004
    Since I installed that patch on a Windows NT server, my server can not access Internet anymore. Did anybody experience that ?
  • Anonymous
    February 03, 2004
    The comment has been removed
  • Anonymous
    February 03, 2004
    too early with my comments, there is a way to disable it again :)

    http://support.microsoft.com/default.aspx?scid=kb;en-us;834489
  • Anonymous
    February 04, 2004
    Running Win 2000. Downloaded the KB832894 patch. When rebooted won't install. Now I get Disk Boot Failure, Insert System Disk & Press Enter. Will only boot with CD. Did this happen to anybody else? I tried everything I know to fix it without success. Any solutions greatly needed.
  • Anonymous
    February 04, 2004
    Can anyone confirm whether this fixes the scrolling bug for them?
  • Anonymous
    February 04, 2004
    This is an annoying update. The username:password url syntax is a really important feature for Internet Explorer.

    It is a massive mistake if MS don't reinstate this feature.
  • Anonymous
    February 04, 2004
    Odd behvior started on my web application yesterday, and I'm wondering if this could be related. All these users are using IE6. I can't replicate the error in IE5.5 or Mozilla, so I'm thinking it must be browser-dependent.

    Clients using IE were submitting forms to the server via POST, but the server was receiving a POST with no contents at all. The error messages I get have a correct referrer (the form page they submitted), a correct content-type (application/x-www-form-urlencoded), a correct request-type (POST) - but no POST values are actually being received by the server.

    Could this new patch be to blame, if my users have set up IE to automatically download patches/updates?

    thanks.
  • Anonymous
    February 04, 2004
    Alex: Can you provide a link to the page that is reproducing the problem and other information about your server environment? Feel free to e-mail me if you would rather not have that info be public.
  • Anonymous
    February 04, 2004
    All: Please see http://weblogs.asp.net/michael_Howard/archive/2004/02/04/67622.aspx for a more in-depth explination of our decision to remove the http://username:password@url syntax from IE.
  • Anonymous
    February 04, 2004
    After installing the Update both my CDRW and DVDRW drives disappeared? Bizzare.
  • Anonymous
    February 04, 2004
    After this patch installed, any link I click on that opens in a new window comes up with a blank page. I have to manually type the address in to go to that link. This happens in IE6 and MSN8.
  • Anonymous
    February 04, 2004
    This patch has hosed our https log ons. We are not able to log on but once i uninstalled this update we were good to go. Any ideas what might be causing this?

    ace
  • Anonymous
    February 07, 2004
    This patch killed access to all my Quattro spreadsheet files. It was hidden from the uninstall program so I used the restore function to bypass it.
  • Anonymous
    February 11, 2004
    After installing patch Q832894 we have several computer here that experience problems opening certain webpages.... blank pages appear, Object Expected errors on pages. The Knowledgebase from Microsoft have dropdown menu's that are empty.
  • Anonymous
    February 14, 2004
    http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/02/13/7213.aspx
    http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/02/13/7210.aspx
  • Anonymous
    February 16, 2004
    For those of you having problems with POST data after installing this patch, there is a fix at the MS Download Center. Here is the link:

    http://www.microsoft.com/downloads/details.aspx?FamilyId=254EB128-5053-48A7-8526-BD38215C74B2&displaylang=en

  • Anonymous
    March 10, 2004
    Please note that to remove the patch you need to look for Internet Explorer 832894, which is in a different location that all the other hotfixes.
  • Anonymous
    March 23, 2004
    I too am now missing POST data. At first I thought this may have been an issue with a missing compact policy (p3p) but when I reinstalled IE 6 (6.0.2800.1106) without the latest patch, Q832894, it worked fine. The moment I installed this patch, POST data would not be received unless you manually refresh the page. It will not work if you instruct the HTML to do a meta refresh. The client must initiate it. So what am I supposed to tell my clients? That due to this new "feature" on Microsoft's end, that you will not be able to purchase anything from this shopping cart unless you remove the Q832894 patch? So now we must play the roll of technical support, to deal with a problem generated by Microsoft.

    No problem in Mozilla/Netscape/Opera. Unfortunately, IE is the choice of the majority.
  • Anonymous
    March 23, 2004
    Just as an addendum to my previous post, this seems to be a problem over a HTTPS (SSL) connection moreso than standard HTTP, but who is going to use a shopping cart that has not been secured?
  • Anonymous
    March 23, 2004
    Travis: This was an unfortuante bug in that security update. It only happens under "specific server conditions." I did not work on the resolution, so I do not know the details.

    There is a fix posted for this, as well as some other technical information at http://www.microsoft.com/downloads/details.aspx?FamilyId=254EB128-5053-48A7-8526-BD38215C74B2&displaylang=en.

  • Anonymous
    June 04, 2004
    The comment has been removed
  • Anonymous
    July 11, 2004
    The comment has been removed
  • Anonymous
    July 15, 2004
    I've downloaded this patch from msn but each time i check updates and scan my pc, the same patch comes up again listed as critical update
  • Anonymous
    July 25, 2004
    I'm having the same problem as listed above - after I install the patch and then reboot, the patch no longer appears to be installed. Any help on resolving this issue would be appreciated.
  • Anonymous
    May 29, 2009
    PingBack from http://paidsurveyshub.info/story.php?title=jeff-s-weblog-kb832894-is-now-live-at-windows-update