Microsoft Knowledge Base Article
This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved.
Terms
of Use |
Trademarks
Article ID: 887606 - Last Review: July 8, 2005 - Revision: 1.1
FIX: The Microsoft XML Parser (MSXML) uses cached credentials incorrectly
On This Page
Article contents
SUMMARY
This article describes the following about this hotfix
release:
- The issues that are fixed by this hotfix
package.
- The prerequisites for installing the hotfix
package.
- Whether you must restart your computer after you install
the hotfix package.
- Whether the hotfix package is replaced by any other hotfix
package.
- Whether you must make any registry changes.
- The files that are contained in the hotfix
package.
SYMPTOMS
After you apply the fixes that are in Microsoft Security
Bulletin MS04-004 and Microsoft Knowledge Base article 832414, the Microsoft
XML Parser (MSXML) user credentials may be cached. Then, MSXML may use user
sessions incorrectly within a single Microsoft Internet Explorer process. For
example, a user may successfully connect with the following function call:
xmlhttp.open("GET", "http://www.myserver.com/myfiles", false, "correctusername", "correctpassword") Then, the user may notice that the following call also succeeds when it
is used subsequently in the same process:
xmlhttp.open("GET", "http://www.www.myserver.com.com/myfiles", false, "incorrectusername", "incorrectpassword")
The second call should fail because the credentials are incorrect.
However, the call succeeds because of changes in the default behavior of
Internet Explorer after you apply the MS04-004 security
update.
CAUSE
This behavior occurs because XMLHTTP incorrectly leaks
connection credentials across user sessions.
RESOLUTION
Hotfix information
To resolve this behavior, update your version of MSXML. To do this, visit one of the following Microsoft Web sites.
Note If you have MSXML 3.0 installed, you must install a service pack.
MSXML 2.6 package for Microsoft Windows 2000, Windows XP, and Windows Server 2003
English version:
Arabic version:
Chinese (China) version:
Chinese (Taiwan) version:
Czech version:
Danish version:
Dutch version:
Finnish version:
French version:
German version:
Greek version:
Hebrew version:
Hungarian version:
Italian version:
Japanese version:
Korean version:
Norwegian version:
Polish version:
Portuguese (Brazil) version:
Portuguese (Portugal version):
Russian version:
Spanish version:
Swedish version:
MSXML 2.6 Package for Windows 98 and Windows
Millennium Edition
All language versions:
MSXML
3.0
If you are running MSXML 3.0, install the latest service pack. To
do this, visit the following Microsoft Web site:
MSXML 4.0 Service Pack 2 (SP2) Package for Windows 2000, Windows XP, and Windows Server 2003
English version:
Chinese (China) version:
Chinese (Taiwan) version:
French version:
German version:
Italian version:
Japanese version:
Korean version:
Spanish version:
MSXML 4.0 SP2 Package for Windows 98 and Windows
Millennium Edition
All language versions:
Prerequisites
To apply this hotfix, you must have the following hotfixes or
service packs installed:
- Either MSXML 2.6 or MSXML 4.0 SP2.
Note If you do not currently have MSXML 2.6 or MSXML 4.0 SP2 installed
on your system, you do not have to apply this hotfix. - MS04-038 - Cumulative Security Update for Internet
Explorer. This hotfix relies on Internet Explorer updates that are made in the
MS04-038 security update. If you apply this hotfix without applying Internet
Explorer security update MS04-038, you may experience the behavior that is
described in the following Knowledge Base article:
832414Â
(http://kbalertz.com/Feedback.aspx?kbNumber=832414/
)
XMLHTTP call fails for URLs with embedded user credentials
For additional information about
security update MS04-038, click the following article number to view the
article in the Microsoft Knowledge Base: 834707Â
(http://kbalertz.com/Feedback.aspx?kbNumber=834707/
)
MS04-038: Cumulative Security Update for Internet Explorer
Restart information
If MSXML 2.6, MSXML 3.0, or MSXML 4 is being used when you apply
this hotfix, you may have to restart your computer after you apply the hotfix
or upgrade to MSXML 3.0 Service Pack 5 (SP5).
Hotfix file information
This hotfix contains only those files that are required to correct
the issues that this article lists. This hotfix may not contain all the files
that you must have to fully update a product to the latest
build.
The English version of this hotfix has the file
attributes (or later file attributes) that are listed in the following table.
The dates and times for these files are listed in coordinated universal time
(UTC). When you view the file information, it is converted to local time. To
find the difference between UTC and local time, use the
Time
Zone tab in the Date and Time tool in Control Panel.
MSXML 2.6
Date Time Version Size File name
----------------------------------------------------
15-Oct-2004 01:35 8.30.9531.0 701,440 Msxml2.dll
MSXML 4.0
Date Time Version Size File name
------------------------------------------------------
03-Aug-2004 17:20 4.20.9828.0 1,234,432 Msxml4.dll
Because of file dependencies, the most recent hotfix that
contains these files may also contain additional files.
STATUS
Microsoft has confirmed that this is a bug in the Microsoft
products that are listed in the "Applies to"
section.
MORE INFORMATION
For additional information about the
terminology that Microsoft uses when correcting software after it is released,
click the following article number to view the article in the Microsoft
Knowledge Base:
824684Â
(http://kbalertz.com/Feedback.aspx?kbNumber=824684/
)
Description of the standard
terminology that is used to describe Microsoft software updates
APPLIES TO
- Microsoft XML Parser 2.6
- Microsoft XML Parser 3.0
- Microsoft XML Core Services 4.0
| kbbug kbfix kbsecurity atdownload KB887606 |
Community Feedback System
Very often, it takes hours to solve a problem. Very often, you've looked high
and low, and have tried a lot of solutions. When you finally found it, chances
are, it was because someone else helped you. Here's your chance to give back.
Use our community feedback tool to let others know what worked for you and what
didn't.
Please also understand that the community feedback system is not warranted to be
correct, it's simply a system that we've built to let people try and help each
other. If something in a feedback response doesn't make sense to you, or you're
not comfortable making changes that the feedback talks about (like registry
edits), please consult a professional.
Thank you for using kbAlertz.com Feedback System.
-- Scott Cate
Be the first to leave feedback, to help others about this knowledge base
article.
(Optional) Name
(Optional)
Public URL Or Email
Comments
No
HTML -- Text Only Please