RE: IE headers w patch level
From: Jorge Roxo (j.roxo@sotagus.pt)Date: 12/26/01
- Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #66"
- In reply to: Marc Fossi: "Re: IE headers w patch level"
- Next in thread: Omar Koudsi: "RE: IE headers w patch level"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Jorge Roxo" <j.roxo@sotagus.pt> To: "'Marc Fossi'" <mfossi@securityfocus.com>, "'Stephen Friedl'" <friedl@mtndew.com> Date: Wed, 26 Dec 2001 08:55:16 -0000
Hum... Why would you need to make that public in a HTML header.. Well it
might have something to do along the lines of knowing just what type of
browser the person is using to view in a site's stats what is the most
popular type of browser used and thus to recode your site's html to
tailor for the specifics of that most piopular browser. Im sure you are
all aware that Netscape and IE do NOT behave exactly the same while
handling certain types of HTML tags. To have this information allows you
to tailor for specific needs and behaviours when providing we content if
you are not using very complex html source originators such as php or
asp. Simple and pure HTML code behaves differently for Netscape than for
IE.
This is why I agree that you should as a webmaster be allowed to collect
this basic info from a visitor's browser. Howevere I most certainly
disagree with the fact the it tells you which particular security
updates have been applied to the browser beyond those which should be
"visible" like SP1 or SP2 since the behaviour of IE 5.5 SP1 and IE 5.5
SP2 while handling *.js files for instance is different in some
functions, and is thus important to know what version it is and thus
handle it differently if you happen to have the need to do so. Beyond
that, it pops up that info - Im guessing here - because the command you
issue when you go to the option of "about IE" is most likely headed for
the very same function that is called when yuo send na email header or
when you call throguh a script to see what version the visitor is using
of browser X, Y or Z. I'd guess it just for commodity purposes, and I'd
further guess that starting to freak out and consider the fact that this
information is readily available, is about as useful as penauts.
The risk of getting hit by an attack is almost nill because of this info
being available. I really fail to see what the importance is.. So
someone could please enlighten me on how you'd go about an "imaginary"
attack? What would this information really provide you with?, to me all
this line says is this:
> > Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98;+AltaVista+1.01.01;+T3
> > 12461)
The user sent his e-mail or visited my site while using a software
compatible with the Mozilla 4.0 standard wich was defined as Microsoft
Internet Explorer version 5.5 installed on a Windows 98 machine,
possibly the distribution of the cliente ( I.E Browser ) was done
through Altavista, and it is the Alatavista distribution 1.01.01 or was
distributed on 01.01.01. Possibly it may have a patch applied, that
patch being Q12461 ( possibly )...
Ok... So... Whats the security risk? What is being given away here?
absolutely nothing!!!... All it really tells me is that this person is
using Win98 and IE 5.5 and that he/she got it either trough altavista or
sent me the e-mail throguh altavista's mail server. Not much there in
the way of a risk huh?.
Just my 0.02 ˆ worht of thoughts ;)
Jorge Roxo,
TCSA/Sotagus Computer Systems Administrator.
j.roxo@sotagus.pt
--------------------------------------------
This e-mail is confidential and privileged. If you are not the intended
recipient please accept our apologies. Do not disclose, copy or
distribute information in this e-mail or take any action in reliance to
its contents, to do so is strictly prohibited and may be unlawful.
Please inform us that this message has gone astray before deleting it.
Thank you for your co-operation.
--------------------------------------------
-----Mensagem original-----
De: Marc Fossi [mailto:mfossi@securityfocus.com]
Enviada: segunda-feira, 24 de Dezembro de 2001 18:22
Para: Stephen Friedl
Cc: focus-ms@securityfocus.com
Assunto: Re: IE headers w patch level
But you'd think that since they released HFNetChk for that purpose they
wouldn't need to include that data in a form that any website operator
could access....
Marc Fossi, MCSE
SecurityFocus
www.securityfocus.com
On Mon, 24 Dec 2001, Stephen Friedl wrote:
> > Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98;+AltaVista+1.01.01;+T3
> > 12461)
>
> > Does anyone know if this will be done with future patches, and what
> > the purpose might be?
>
> If I were running an IT department, I'd sure love to know which of my
> perhaps hundreds of internal users had not received which patches -
> perhaps this is what they had in mind with this?
>
> Steve
>
> ---
> Stephen J Friedl | Software Consultant | Tustin, CA | +1 714
544-6561
> www.unixwiz.net | I speak for me only | KA8CMY |
steve@unixwiz.net
>
- Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #66"
- In reply to: Marc Fossi: "Re: IE headers w patch level"
- Next in thread: Omar Koudsi: "RE: IE headers w patch level"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
