In July 2016, Microsoft issued the critical security bulletin MS16-084. This was an important security update for users of Internet Explorer 11. The update fixed vulnerabilities that allowed remote code execution if a user viewed a specially crafted webpage with Internet Explorer. Attackers that made it into systems where the current user was logged on as an administrator could gain control of the system and, for example, install programs, delete data, and create new accounts.
The MS16-084 update changed security settings so URLs that contain a javascript() function call are now blocked. This has some ramifications in ServiceNow.
Determining if the MS16-084 security update affects your instance
After installing the MS16-084 patch, if you access a Fuji, Geneva, or Helsinki instance using Internet Explorer 11 and try to apply a template to a record, the pop-up window for selecting templates is blank. The issue has not been reproducible consistently, but there are multiple reports of the blank template window. For example, customers have seen the issue when creating a new incident and selecting Template > Apply template from the context menu.
How to workaround the blank templates window
Try using one of the following workarounds if suitable for your organization:
- Upgrade to a Geneva (or later) release and use UI16
- Use a different browser such as Chrome or Firefox
- Navigate to Internet Options > Security Settings > Custom Level and clear the option Enable XSS Filter
- Back out the MS16-084 Critical Patch
Additional information
- For complete information, see KB0596952: Applying a Microsoft MS16-084 - Critical patch breaks URLs containing JavaScript calls (must login to HI to view) written by the inimitable edwajs. You can also subscribe to this known error article to receive updates about the issue.
- The Microsoft website contains a security bulletin and a knowledge base article about the MS16-084 security update
General information about forms and templates is available in the product documentation:
