Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. FIX: The Microsoft XML Parser (MSXML) uses cached credentials incorrectly

FIX: The Microsoft XML Parser (MSXML) uses cached credentials incorrectly

Summary

This article describes the following about this hotfix release:
  • The issues that are fixed by this hotfix package.
  • The prerequisites for installing the hotfix package.
  • Whether you must restart your computer after you install the hotfix package.
  • Whether the hotfix package is replaced by any other hotfix package.
  • Whether you must make any registry changes.
  • The files that are contained in the hotfix package.
back to the top

↑ Back to the top

Symptoms

After you apply the fixes that are in Microsoft Security Bulletin MS04-004 and Microsoft Knowledge Base article 832414, the Microsoft XML Parser (MSXML) user credentials may be cached. Then, MSXML may use user sessions incorrectly within a single Microsoft Internet Explorer process. For example, a user may successfully connect with the following function call: 
xmlhttp.open("GET", "http://www.myserver.com/myfiles", false, "correctusername", "correctpassword")
Then, the user may notice that the following call also succeeds when it is used subsequently in the same process: 
xmlhttp.open("GET", "http://www.www.myserver.com.com/myfiles", false, "incorrectusername", "incorrectpassword")
The second call should fail because the credentials are incorrect. However, the call succeeds because of changes in the default behavior of Internet Explorer after you apply the MS04-004 security update.

back to the top

↑ Back to the top

Cause

This behavior occurs because XMLHTTP incorrectly leaks connection credentials across user sessions.

back to the top

↑ Back to the top

Resolution

Hotfix information

To resolve this behavior, update your version of MSXML. To do this, visit one of the following Microsoft Web sites.

Note If you have MSXML 3.0 installed, you must install a service pack.
MSXML 2.6 package for Microsoft Windows 2000, Windows XP, and Windows Server 2003
English version:
http://download.microsoft.com/download/8/9/C/89CB25E3-5AB0-4F9D-9CA0-093017BEDBDA/MSXML2SP6-KB887606-x86-ENU.exe
Arabic version:
http://download.microsoft.com/download/6/3/5/635D148C-9E23-4F14-AD46-15EC208A0E40/MSXML2SP6-KB887606-x86-ARA.exe
Chinese (China) version:
http://download.microsoft.com/download/C/4/F/C4F63767-9BF3-48A7-969F-0DD45221553C/MSXML2SP6-KB887606-x86-CHS.exe
Chinese (Taiwan) version:
http://download.microsoft.com/download/3/8/F/38F1B473-BDDA-4233-8E5B-21B315E26FA7/MSXML2SP6-KB887606-x86-CHT.exe
Czech version:
http://download.microsoft.com/download/9/C/B/9CB62E66-03BD-40A1-9CBF-543991C3A680/MSXML2SP6-KB887606-x86-CSY.exe
Danish version:
http://download.microsoft.com/download/9/6/B/96B998BC-D44F-488F-9B2B-2010128A5301/MSXML2SP6-KB887606-x86-DAN.exe
Dutch version:
http://download.microsoft.com/download/1/2/C/12C96043-25E3-4950-BA67-E73DB42ECA2B/MSXML2SP6-KB887606-x86-NLD.exe
Finnish version:
http://download.microsoft.com/download/D/B/8/DB8E1ED0-ECDA-4A9C-B32F-FA4953A33F11/MSXML2SP6-KB887606-x86-FIN.exe
French version:
http://download.microsoft.com/download/B/5/C/B5C093A5-1F2E-4E60-9529-5E201B197C66/MSXML2SP6-KB887606-x86-FRA.exe
German version:
http://download.microsoft.com/download/4/0/8/4087A7F1-4D72-4DE9-A58F-CF1959EABD3C/MSXML2SP6-KB887606-x86-DEU.exe
Greek version:
http://download.microsoft.com/download/2/3/4/234EEA3C-E0EE-42BF-B310-21B4C42B7FE2/MSXML2SP6-KB887606-x86-ELL.exe
Hebrew version:
http://download.microsoft.com/download/A/D/E/ADE6AF01-2441-4FAC-86C9-7926269BC362/MSXML2SP6-KB887606-x86-HEB.exe
Hungarian version:
http://download.microsoft.com/download/A/9/0/A9004A92-CA15-453E-84FF-BDC14348DFB7/MSXML2SP6-KB887606-x86-HUN.exe
Italian version:
http://download.microsoft.com/download/8/F/1/8F15E87E-7B48-43B9-9476-0AB738713AFD/MSXML2SP6-KB887606-x86-ITA.exe
Japanese version:
http://download.microsoft.com/download/2/6/D/26D27FDC-CE0B-4225-8D7E-94E93F59323F/MSXML2SP6-KB887606-x86-JPN.exe
Korean version:
http://download.microsoft.com/download/7/9/0/790DBCA2-4465-49CC-AD45-7DC4A6A2AEFF/MSXML2SP6-KB887606-x86-KOR.exe
Norwegian version:
http://download.microsoft.com/download/C/A/D/CADE64A7-4DE7-4264-80A9-E2F96FA81920/MSXML2SP6-KB887606-x86-NOR.exe
Polish version:
http://download.microsoft.com/download/3/2/6/326B3DDF-9023-41DC-8068-2CBF48E42E5F/MSXML2SP6-KB887606-x86-PLK.exe
Portuguese (Brazil) version:
http://download.microsoft.com/download/4/A/E/4AEE3932-4083-4024-ADF5-8FE452B4B8EE/MSXML2SP6-KB887606-x86-PTB.exe
Portuguese (Portugal version):
http://download.microsoft.com/download/9/3/0/9308EDA4-2D5B-44F1-BD61-83C41C9DBCCD/MSXML2SP6-KB887606-x86-PTG.exe
Russian version:
http://download.microsoft.com/download/4/B/1/4B1A579D-5DC4-4645-BD96-A7E2EA62E9F8/MSXML2SP6-KB887606-x86-RUS.exe
Spanish version:
http://download.microsoft.com/download/5/C/7/5C79EF95-67C7-4918-9100-B13412C63164/MSXML2SP6-KB887606-x86-ESN.exe
Swedish version:
http://download.microsoft.com/download/E/D/2/ED2F2A6E-1E0F-43CE-B7D5-8D49ACD9DF34/MSXML2SP6-KB887606-x86-SVE.exe
MSXML 2.6 Package for Windows 98 and Windows Millennium Edition
All language versions:
http://download.microsoft.com/download/0/5/B/05B742F9-96EE-414B-AC5B-7AE74B3E08AB/KB887606_MSXML2.6_x86.exe
MSXML 3.0
If you are running MSXML 3.0, install the latest service pack. To do this, visit the following Microsoft Web site:
http://www.microsoft.com/en-au/download/details.aspx?id=23412
MSXML 4.0 Service Pack 2 (SP2) Package for Windows 2000, Windows XP, and Windows Server 2003
English version:
http://download.microsoft.com/download/6/5/C/65C2875D-A3C8-4290-9594-C5777EE5D9A7/MSXML4SP2-KB887606-x86-ENU.exe
Chinese (China) version:
http://download.microsoft.com/download/D/0/E/D0E2E33B-B554-4459-8A8B-4F9563BD4991/MSXML4SP2-KB887606-x86-CHS.exe
Chinese (Taiwan) version:
http://download.microsoft.com/download/D/3/8/D38329B8-CF41-47C7-ADD5-DFC62FB04E2A/MSXML4SP2-KB887606-x86-CHT.exe
French version:
http://download.microsoft.com/download/2/9/F/29FE8F08-F9F4-4BC8-ADE7-2610B5D5449C/MSXML4SP2-KB887606-x86-FRA.exe
German version:
http://download.microsoft.com/download/9/6/F/96F79B59-2AF9-49AA-AEDE-5D8F2F7B5841/MSXML4SP2-KB887606-x86-DEU.exe
Italian version:
http://download.microsoft.com/download/6/7/E/67E4AE0D-16B1-4953-A56E-5CA604706BC5/MSXML4SP2-KB887606-x86-ITA.exe
Japanese version:
http://download.microsoft.com/download/D/5/8/D5868545-DF30-4AC3-BC01-C4F4EF84D59A/MSXML4SP2-KB887606-x86-JPN.exe
Korean version:
http://download.microsoft.com/download/3/F/C/3FCBCAA8-A4D8-439A-8571-897326652BB6/MSXML4SP2-KB887606-x86-KOR.exe
Spanish version:
http://download.microsoft.com/download/0/2/0/020FB1F3-2A02-4B91-9F73-37A637D8DCB1/MSXML4SP2-KB887606-x86-ESN.exe
MSXML 4.0 SP2 Package for Windows 98 and Windows Millennium Edition
All language versions:
http://download.microsoft.com/download/D/0/5/D05C322D-45CF-41AF-A024-63DB9800F357/KB887606_MSXML4.0_x86.exe
back to the top

Prerequisites

To apply this hotfix, you must have the following hotfixes or service packs installed:
  • Either MSXML 2.6 or MSXML 4.0 SP2.

    Note If you do not currently have MSXML 2.6 or MSXML 4.0 SP2 installed on your system, you do not have to apply this hotfix.
  • MS04-038 - Cumulative Security Update for Internet Explorer. This hotfix relies on Internet Explorer updates that are made in the MS04-038 security update. If you apply this hotfix without applying Internet Explorer security update MS04-038, you may experience the behavior that is described in the following Knowledge Base article:
    832414 XMLHTTP call fails for URLs with embedded user credentials

     For additional information about security update MS04-038, click the following article number to view the article in the Microsoft Knowledge Base:
    834707 MS04-038: Cumulative Security Update for Internet Explorer

back to the top

Restart information

If MSXML 2.6, MSXML 3.0, or MSXML 4 is being used when you apply this hotfix, you may have to restart your computer after you apply the hotfix or upgrade to MSXML 3.0 Service Pack 5 (SP5).

back to the top

Hotfix file information

This hotfix contains only those files that are required to correct the issues that this article lists. This hotfix may not contain all the files that you must have to fully update a product to the latest build.

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
MSXML 2.6
   Date         Time   Version      Size     File name
   ----------------------------------------------------
   15-Oct-2004  01:35  8.30.9531.0  701,440  Msxml2.dll
MSXML 4.0
   Date         Time   Version      Size       File name
   ------------------------------------------------------
   03-Aug-2004  17:20  4.20.9828.0  1,234,432  Msxml4.dll
Note Because of file dependencies, the most recent hotfix that contains these files may also contain additional files.

↑ Back to the top

Status

Microsoft has confirmed that this is a bug in the Microsoft products that are listed in the "Applies to" section.

back to the top

↑ Back to the top

More Information

For additional information about the terminology that Microsoft uses when correcting software after it is released, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

↑ Back to the top

Keywords: kbsecurity, atdownload, kbbug, kbfix, kb

↑ Back to the top

Article Info
Article ID : 887606
Revision : 6
Created on : 4/18/2018
Published on : 4/19/2018
Exists online : False
Views : 645