You are currently offline, waiting for your internet to reconnect

FIX: The Microsoft XML Parser (MSXML) uses cached credentials incorrectly

This article describes the following about this hotfix release:
  • The issues that are fixed by this hotfix package.
  • The prerequisites for installing the hotfix package.
  • Whether you must restart your computer after you install the hotfix package.
  • Whether the hotfix package is replaced by any other hotfix package.
  • Whether you must make any registry changes.
  • The files that are contained in the hotfix package.
back to the top
After you apply the fixes that are in Microsoft Security Bulletin MS04-004 and Microsoft Knowledge Base article 832414, the Microsoft XML Parser (MSXML) user credentials may be cached. Then, MSXML may use user sessions incorrectly within a single Microsoft Internet Explorer process. For example, a user may successfully connect with the following function call:"GET", "", false, "correctusername", "correctpassword")   
Then, the user may notice that the following call also succeeds when it is used subsequently in the same process:"GET", "", false, "incorrectusername", "incorrectpassword") 
The second call should fail because the credentials are incorrect. However, the call succeeds because of changes in the default behavior of Internet Explorer after you apply the MS04-004 security update.

back to the top
This behavior occurs because XMLHTTP incorrectly leaks connection credentials across user sessions.

back to the top

Hotfix information

To resolve this behavior, update your version of MSXML. To do this, visit one of the following Microsoft Web sites.

Note If you have MSXML 3.0 installed, you must install a service pack.
MSXML 2.6 package for Microsoft Windows 2000, Windows XP, and Windows Server 2003
English version:Arabic version:Chinese (China) version:Chinese (Taiwan) version:Czech version:Danish version:Dutch version:Finnish version:French version:German version:Greek version:Hebrew version:Hungarian version:Italian version:Japanese version:Korean version:Norwegian version:Polish version:Portuguese (Brazil) version:Portuguese (Portugal version):Russian version:Spanish version:Swedish version:
MSXML 2.6 Package for Windows 98 and Windows Millennium Edition
All language versions:
If you are running MSXML 3.0, install the latest service pack. To do this, visit the following Microsoft Web site:
MSXML 4.0 Service Pack 2 (SP2) Package for Windows 2000, Windows XP, and Windows Server 2003
English version:Chinese (China) version:Chinese (Taiwan) version:French version:German version:Italian version:Japanese version:Korean version:Spanish version:
MSXML 4.0 SP2 Package for Windows 98 and Windows Millennium Edition
All language versions: back to the top


To apply this hotfix, you must have the following hotfixes or service packs installed:
  • Either MSXML 2.6 or MSXML 4.0 SP2.

    Note If you do not currently have MSXML 2.6 or MSXML 4.0 SP2 installed on your system, you do not have to apply this hotfix.
  • MS04-038 - Cumulative Security Update for Internet Explorer. This hotfix relies on Internet Explorer updates that are made in the MS04-038 security update. If you apply this hotfix without applying Internet Explorer security update MS04-038, you may experience the behavior that is described in the following Knowledge Base article:
    832414 XMLHTTP call fails for URLs with embedded user credentials
    For additional information about security update MS04-038, click the following article number to view the article in the Microsoft Knowledge Base:
    834707 MS04-038: Cumulative Security Update for Internet Explorer
back to the top

Restart information

If MSXML 2.6, MSXML 3.0, or MSXML 4 is being used when you apply this hotfix, you may have to restart your computer after you apply the hotfix or upgrade to MSXML 3.0 Service Pack 5 (SP5).

back to the top

Hotfix file information

This hotfix contains only those files that are required to correct the issues that this article lists. This hotfix may not contain all the files that you must have to fully update a product to the latest build.

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
   Date         Time   Version      Size     File name   ----------------------------------------------------   15-Oct-2004  01:35  8.30.9531.0  701,440  Msxml2.dll
   Date         Time   Version      Size       File name   ------------------------------------------------------   03-Aug-2004  17:20  4.20.9828.0  1,234,432  Msxml4.dll
Note Because of file dependencies, the most recent hotfix that contains these files may also contain additional files.back to the top
Microsoft has confirmed that this is a bug in the Microsoft products that are listed in the "Applies to" section.

back to the top
More information
For additional information about the terminology that Microsoft uses when correcting software after it is released, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Article ID: 887606 - Last Review: 08/03/2012 08:31:00 - Revision: 2.0

  • kbsecurity atdownload kbbug kbfix KB887606
I=4050&did=1&t=">r m=document.createElement('meta');'ms.dqp0';m.content='true';document.getElementsByTagName('head')[0].appendChild(m);" onload="var m=document.createElement('meta');'ms.dqp0';m.content='false';document.getElementsByTagName('head')[0].appendChild(m);" src="">