MS04-004 is a cumulative security update (Microsoft KB832894) which addresses 3 issues:
* A cross-site scripting issue
* a drag-and-drop DHTML vulnerability and
* an incorrect parsing of URLs.
It also makes URLs of the form http://username:password@site/something-else invalid. Note that URLs of that form are acceptable according to the W3C and is a shorthand way of specifying an unencrypted username/password pair.
This bulletin replaces MS03-048.