Channel Insider content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Microsoft Corp. has announced in a support document that it will be releasing a software update to Internet Explorer and Windows Explorer to disable the use of certain syntax in HTTP URLs. The syntax, designed to allow a username and password to be passed to a password-protected page, has a history of abuse. The company did not give a timeline for the release of the patch.

The syntax takes the form http[s]://username:password@server/file.html, such as, where “joe” is the username and “blow” is the password. But a site that does not look for the username and password will ignore the values passed, and only the string after the “@” symbol is used for the domain name. Other browsers support this syntax to varying degrees.

To read the full story, click here.