Microsoft Issues XML Fix to IE Patch

Microsoft Corp. this week released a follow-on update to its earlier patch for an Internet Explorer spoofing vulnerability. The patch of a patch applies to Web sites and applications that make use of XMLHTTP authentication.

Microsoft Corp. this week released a follow-on update to its earlier patch for an Internet Explorer spoofing vulnerability.

The new update, released in a series of service packs on Thursday, fixes Microsoft Extensible Markup Language (MSXML) functionality so that it can work properly with the changes made in the IE security bulletin that Microsoft released on Monday. That IE update patched a hole that could let an attacker disguise a malicious URL as a legitimate one in the Web browsers address bar.

/zimages/5/28571.gifThe IE security fix didnt completely fix the problems. Click here to read more from Security Topic Center Editor Larry Seltzer.

The new MSXML update specifically applies to Web sites and applications that make use of an XMLHTTP control for authentication in IE, said Mike Reavey, a Microsoft security program manager.

Mondays IE security update disallowed navigation to "username:password@host.com" URLs for XMLHTTP, but the new service packs provide new methods for authenticating.

Microsoft released the MSXML update, called a "Critical Update for Microsoft XML 3.0" in three different downloads: Service Pack 2, Service Pack 3 and Service Pack 4.

The update documentation said the MSXML updates support Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, Windows 2000 Service Pack 4, Windows NT, Windows Server 2003 and Windows XP.

/zimages/5/28571.gifCheck out eWEEK.coms Security Center at security.eweek.com for security news, views and analysis.