Friday 06 February 2004

Update on the Internet Explorer Patch (MS04-004)

Michael Howard points out that the new default behavior for handling user information in HTTP or HTTPS URLs can be disabled and this is covered in Microsoft's KB 834489.

Normally, I would post the necessary registry fix but I am not sure it is a wise idea to disable the new default behaviour though I also think that Microsoft's solution to the URL spoofing vulnerability was an overkill in the first place.

Meanwhile it appears that the MS04-004 fix also broke applications relying on MSXML so Microsoft has issued a fix via KB 832414 to resolve this, except that there is a separate fix for Microsoft XML 3.0 Service Pack 2, Microsoft XML 3.0 Service Pack 3 and Microsoft XML 3.0 Service Pack 4 and it would have helped if Microsoft explained this in more detail.

Related Reading