Monday 02 February 2004

MS04-004: Cumulative Security Update for Internet Explorer

Finally, a patch for the Internet Explorer URL Spoofing Vulnerability first reported back in December.

According to the Security Bulletin, this patch eliminates:

A vulnerability that involves the incorrect parsing of URLs that contain special characters. When combined with a misuse of the basic authentication feature that has "username:password@" at the beginning of a URL, this vulnerability could result in a misrepresentation of the URL in the address bar of an Internet Explorer window. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page that had a specially-crafted link. The attacker would then have to persuade a user to click that link. The attacker could also create an HTML e-mail message that had a specially-crafted link, and then persuade the user to view the HTML e-mail message and then click the malicious link. If the user clicked this link, an Internet Explorer window could open with a URL of the attacker's choice in the address bar, but with content from a Web Site of the attacker's choice inside the window.

The patch also includes:

A change to the functionality of a Basic Authentication feature in Internet Explorer. The update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software update:


For more information about this change, please see Microsoft Knowledge Base article 834489.

Additionally, this update will disallow navigation to "" URLs for XMLHTTP.

I have only given the details regarding the URL Spoofing Vulnerability; for other vulnerabilities covered by this patch, you need to read: the MS04-004 Security Bulletin which also includes download instructions.

Related Reading