Me and Microsoft's KB912812 Cumulative Security Update

So there I was minding my own business when Microsoft decides to make my life that much more complicated. They do their security updates all the time and given that I manage websites but don't have a windows box, I try and read the details of each release to be aware of any issues it may cause. This one in particular (KB912812)had me concerned because it changes the way that embedded objects are handled. On reading the details, it looked like my Javascript code that uses an ActiveX control to send asynchronous HTTP requests in IE would be fine because the code isn't activated when the page loads, only responding to user input. Cool.

The update came out, some people started getting it on their machines, and I started getting complaints about the dropdown menus on collegemedium.com not working. I sent them to ckdake.com which uses the exact same csshover.htc hack to let IE use :hover on any element of a page allowing for dropdown lists to be nested HTML unordered lists with CSS to display all of it. The ones on ckdake.com worked just fine for all of them which made no sense. If one broke, shouldn't the other?

After hours and hours of debugging I finally figured out the root cause. Microsoft forgot to document a fairly major change in some unconfigurable Javascript security settings. Most things you can change by setting a custom security level in IE preferences, but if there is anything similar to the about:config that Mozilla based browsers have, I've never seen it. Previously, I had to change a few things to get the Javascript to play nice in IE. For IE to allow an AJAX request to go out, the page, Javascript file, and AJAX target have to be on the exact same domain. I had to move the Javascript files from static.collegemedium.com to the includes folder on every other subdomain (marketplace, jobs, etc) to get any of that to work. This is to prevent phishing attacks and some cross site scripting attacks which makes sense I guess, but properly designed web sites should prevent the attacks and the limitation seems a bit artifical and unnessecary to me. Whatever. It turns out the new update now requires any CSS file that Javascript interacts with to be on the same subdomain, not just for writing to it dynamically in the DOM, but even for just reading from it! Thats crazy and completely undocumented. Putting the CSS file on all the subdomains and setting all the image paths in it to point to static.collegemedium.com instead of being relative URLs fixed the problem completely.

This all may not seem like that big of a deal, but because of the somewhat silly restrictions that IE places on Javascript, I now have to have an extra 20 kilobytes of files on each subdomain. Instead of these files getting cached on each machine, If a user hits each subdomain they will have to load 140 kilobytes instead of 20, slowing their user experience and upping the bandwidth usage on the server. If your nifty Javascript DOM CSS stuff stops working after KB912812, I hope you stumble across this and don't waste a day trying to fix your problem.

comments powered by Disqus