Microsoft KB Archive/887606

= FIX: The Microsoft XML Parser (MSXML) uses cached credentials incorrectly =

Article ID: 887606

Article Last Modified on 7/8/2005

-

APPLIES TO


 * Microsoft XML Parser 2.6
 * Microsoft XML Core Services 4.0
 * Microsoft XML Core Services 4.0

-





Article contents

 * Summary
 * Symptoms
 * Cause
 * Resolution
 * Hotfix information
 * Prerequisites
 * Restart information
 * Hotfix file information
 * Status
 * More Information



SUMMARY
This article describes the following about this hotfix release:
 * The issues that are fixed by this hotfix package.
 * The prerequisites for installing the hotfix package.
 * Whether you must restart your computer after you install the hotfix package.
 * Whether the hotfix package is replaced by any other hotfix package.
 * Whether you must make any registry changes.
 * The files that are contained in the hotfix package.

back to the top



SYMPTOMS
After you apply the fixes that are in Microsoft Security Bulletin MS04-004 and Microsoft Knowledge Base article 832414, the Microsoft XML Parser (MSXML) user credentials may be cached. Then, MSXML may use user sessions incorrectly within a single Microsoft Internet Explorer process. For example, a user may successfully connect with the following function call: xmlhttp.open(&quot;GET&quot;, &quot;http://www.myserver.com/myfiles&quot;, false, &quot;correctusername&quot;, &quot;correctpassword&quot;) Then, the user may notice that the following call also succeeds when it is used subsequently in the same process: xmlhttp.open(&quot;GET&quot;, &quot;http://www.www.myserver.com.com/myfiles&quot;, false, &quot;incorrectusername&quot;, &quot;incorrectpassword&quot;) The second call should fail because the credentials are incorrect. However, the call succeeds because of changes in the default behavior of Internet Explorer after you apply the MS04-004 security update.

back to the top



CAUSE
This behavior occurs because XMLHTTP incorrectly leaks connection credentials across user sessions.

back to the top



Hotfix information
To resolve this behavior, update your version of MSXML. To do this, visit one of the following Microsoft Web sites.

Note If you have MSXML 3.0 installed, you must install a service pack.

MSXML 2.6 package for Microsoft Windows 2000, Windows XP, and Windows Server 2003
English version:

http://download.microsoft.com/download/8/9/C/89CB25E3-5AB0-4F9D-9CA0-093017BEDBDA/MSXML2SP6-KB887606-x86-ENU.exe

Arabic version:

http://download.microsoft.com/download/6/3/5/635D148C-9E23-4F14-AD46-15EC208A0E40/MSXML2SP6-KB887606-x86-ARA.exe

Chinese (China) version:

http://download.microsoft.com/download/C/4/F/C4F63767-9BF3-48A7-969F-0DD45221553C/MSXML2SP6-KB887606-x86-CHS.exe

Chinese (Taiwan) version:

http://download.microsoft.com/download/3/8/F/38F1B473-BDDA-4233-8E5B-21B315E26FA7/MSXML2SP6-KB887606-x86-CHT.exe

Czech version:

http://download.microsoft.com/download/9/C/B/9CB62E66-03BD-40A1-9CBF-543991C3A680/MSXML2SP6-KB887606-x86-CSY.exe

Danish version:

http://download.microsoft.com/download/9/6/B/96B998BC-D44F-488F-9B2B-2010128A5301/MSXML2SP6-KB887606-x86-DAN.exe

Dutch version:

http://download.microsoft.com/download/1/2/C/12C96043-25E3-4950-BA67-E73DB42ECA2B/MSXML2SP6-KB887606-x86-NLD.exe

Finnish version:

http://download.microsoft.com/download/D/B/8/DB8E1ED0-ECDA-4A9C-B32F-FA4953A33F11/MSXML2SP6-KB887606-x86-FIN.exe

French version:

http://download.microsoft.com/download/B/5/C/B5C093A5-1F2E-4E60-9529-5E201B197C66/MSXML2SP6-KB887606-x86-FRA.exe

German version:

http://download.microsoft.com/download/4/0/8/4087A7F1-4D72-4DE9-A58F-CF1959EABD3C/MSXML2SP6-KB887606-x86-DEU.exe

Greek version:

http://download.microsoft.com/download/2/3/4/234EEA3C-E0EE-42BF-B310-21B4C42B7FE2/MSXML2SP6-KB887606-x86-ELL.exe

Hebrew version:

http://download.microsoft.com/download/A/D/E/ADE6AF01-2441-4FAC-86C9-7926269BC362/MSXML2SP6-KB887606-x86-HEB.exe

Hungarian version:

http://download.microsoft.com/download/A/9/0/A9004A92-CA15-453E-84FF-BDC14348DFB7/MSXML2SP6-KB887606-x86-HUN.exe

Italian version:

http://download.microsoft.com/download/8/F/1/8F15E87E-7B48-43B9-9476-0AB738713AFD/MSXML2SP6-KB887606-x86-ITA.exe

Japanese version:

http://download.microsoft.com/download/2/6/D/26D27FDC-CE0B-4225-8D7E-94E93F59323F/MSXML2SP6-KB887606-x86-JPN.exe

Korean version:

http://download.microsoft.com/download/7/9/0/790DBCA2-4465-49CC-AD45-7DC4A6A2AEFF/MSXML2SP6-KB887606-x86-KOR.exe

Norwegian version:

http://download.microsoft.com/download/C/A/D/CADE64A7-4DE7-4264-80A9-E2F96FA81920/MSXML2SP6-KB887606-x86-NOR.exe

Polish version:

http://download.microsoft.com/download/3/2/6/326B3DDF-9023-41DC-8068-2CBF48E42E5F/MSXML2SP6-KB887606-x86-PLK.exe

Portuguese (Brazil) version:

http://download.microsoft.com/download/4/A/E/4AEE3932-4083-4024-ADF5-8FE452B4B8EE/MSXML2SP6-KB887606-x86-PTB.exe

Portuguese (Portugal version):

http://download.microsoft.com/download/9/3/0/9308EDA4-2D5B-44F1-BD61-83C41C9DBCCD/MSXML2SP6-KB887606-x86-PTG.exe

Russian version:

http://download.microsoft.com/download/4/B/1/4B1A579D-5DC4-4645-BD96-A7E2EA62E9F8/MSXML2SP6-KB887606-x86-RUS.exe

Spanish version:

http://download.microsoft.com/download/5/C/7/5C79EF95-67C7-4918-9100-B13412C63164/MSXML2SP6-KB887606-x86-ESN.exe

Swedish version:

http://download.microsoft.com/download/E/D/2/ED2F2A6E-1E0F-43CE-B7D5-8D49ACD9DF34/MSXML2SP6-KB887606-x86-SVE.exe

MSXML 2.6 Package for Windows 98 and Windows Millennium Edition
All language versions:

http://download.microsoft.com/download/0/5/B/05B742F9-96EE-414B-AC5B-7AE74B3E08AB/KB887606_MSXML2.6_x86.exe

MSXML 3.0
If you are running MSXML 3.0, install the latest service pack. To do this, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=4a3ad088-a893-4f0b-a932-5e024e74519f&DisplayLang=en

MSXML 4.0 Service Pack 2 (SP2) Package for Windows 2000, Windows XP, and Windows Server 2003
English version:

http://download.microsoft.com/download/6/5/C/65C2875D-A3C8-4290-9594-C5777EE5D9A7/MSXML4SP2-KB887606-x86-ENU.exe

Chinese (China) version:

http://download.microsoft.com/download/D/0/E/D0E2E33B-B554-4459-8A8B-4F9563BD4991/MSXML4SP2-KB887606-x86-CHS.exe

Chinese (Taiwan) version:

http://download.microsoft.com/download/D/3/8/D38329B8-CF41-47C7-ADD5-DFC62FB04E2A/MSXML4SP2-KB887606-x86-CHT.exe

French version:

http://download.microsoft.com/download/2/9/F/29FE8F08-F9F4-4BC8-ADE7-2610B5D5449C/MSXML4SP2-KB887606-x86-FRA.exe

German version:

http://download.microsoft.com/download/9/6/F/96F79B59-2AF9-49AA-AEDE-5D8F2F7B5841/MSXML4SP2-KB887606-x86-DEU.exe

Italian version:

http://download.microsoft.com/download/6/7/E/67E4AE0D-16B1-4953-A56E-5CA604706BC5/MSXML4SP2-KB887606-x86-ITA.exe

Japanese version:

http://download.microsoft.com/download/D/5/8/D5868545-DF30-4AC3-BC01-C4F4EF84D59A/MSXML4SP2-KB887606-x86-JPN.exe

Korean version:

http://download.microsoft.com/download/3/F/C/3FCBCAA8-A4D8-439A-8571-897326652BB6/MSXML4SP2-KB887606-x86-KOR.exe

Spanish version:

http://download.microsoft.com/download/0/2/0/020FB1F3-2A02-4B91-9F73-37A637D8DCB1/MSXML4SP2-KB887606-x86-ESN.exe

MSXML 4.0 SP2 Package for Windows 98 and Windows Millennium Edition
All language versions:

http://download.microsoft.com/download/D/0/5/D05C322D-45CF-41AF-A024-63DB9800F357/KB887606_MSXML4.0_x86.exe

back to the top

Prerequisites
To apply this hotfix, you must have the following hotfixes or service packs installed:  Either MSXML 2.6 or MSXML 4.0 SP2.

Note If you do not currently have MSXML 2.6 or MSXML 4.0 SP2 installed on your system, you do not have to apply this hotfix. MS04-038 - Cumulative Security Update for Internet Explorer. This hotfix relies on Internet Explorer updates that are made in the MS04-038 security update. If you apply this hotfix without applying Internet Explorer security update MS04-038, you may experience the behavior that is described in the following Knowledge Base article:

832414 XMLHTTP call fails for URLs with embedded user credentials

For additional information about security update MS04-038, click the following article number to view the article in the Microsoft Knowledge Base:

834707 MS04-038: Cumulative Security Update for Internet Explorer



back to the top

Restart information
If MSXML 2.6, MSXML 3.0, or MSXML 4 is being used when you apply this hotfix, you may have to restart your computer after you apply the hotfix or upgrade to MSXML 3.0 Service Pack 5 (SP5).

back to the top

Hotfix file information
This hotfix contains only those files that are required to correct the issues that this article lists. This hotfix may not contain all the files that you must have to fully update a product to the latest build.

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

MSXML 2.6
  Date         Time   Version      Size     File name 15-Oct-2004 01:35  8.30.9531.0  701,440  Msxml2.dll

MSXML 4.0
  Date         Time   Version      Size       File name --  03-Aug-2004  17:20  4.20.9828.0  1,234,432  Msxml4.dll Note Because of file dependencies, the most recent hotfix that contains these files may also contain additional files.back to the top



STATUS
Microsoft has confirmed that this is a bug in the Microsoft products that are listed in the &quot;Applies to&quot; section.

back to the top



MORE INFORMATION
For additional information about the terminology that Microsoft uses when correcting software after it is released, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

Keywords: kbbug kbfix kbsecurity atdownload KB887606

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.