ACTION-231 OPEN Start a discussion about including descriptions of the information divulged to websites by user-agents

In the current user agent environment, security details and privacy
information can be extracted by a web site without the user's
permission or knowledge. The user agent environment and many privacy
details are readily available to a web site. The information can used
to support the compromise of a user's security posture in several ways;
two methods are included below.

 

1.	The operating environment details (e.g. User Agent info.
Plug-ins, Email addresses) can be presented back to a user in order to
make a malicious web site appear friendly such as a previously visited
site or a site trying to help the user. A malicious site can use this
information to further compromise of the user's security posture by
making the user make incorrect downstream security decisions.

 

	a.	Links to update software or software to fix operating
environment that actually contain additional malware.
	b.	Email (gained by the site) can be used to send to the
user links that need to be immediately acted upon. The email  can be
designed to further confuse the user and gain additional privacy
information or account details.

 

2.	A web site can make use of critical flaws in the User Agent
environment that can lead to complete compromise of the users operating
environment allowing remote code execution. A malicious web site can
compromise the users operating environment without any user interaction
besides taking the initial link that lead them to the site. Exploits
include the following components.

	a.	Plug-ins
	b.	User Agent itself

 

Sample operating environment and user agent details given to a web site
is listed below. Information with bold x was valid information
determined by a web site but blocked from further distribution.
Because application and version information is provided by User Agent
to a web site, a malicious web site can determine if it has a exploit
that matches any of the user agent software components and proceed to
compromise the user agent if a match is found.

 

Environmental variables:

HTTP_ACCEPT = */*
HTTP_ACCEPT_LANGUAGE = en-us
HTTP_CACHE_CONTROL = max-age=259200
HTTP_CONNECTION = keep-alive
HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
HTTP_VIA = 1.0 xxxxx.xxx.xxx:80 (squid/2.5.STABLE6)
HTTP_X_FORWARDED_FOR = xxx.xx.xxx.xx
REMOTE_ADDR = xx.xxx.xx.xx
REMOTE_PORT = xxxxx
REQUEST_METHOD = GET
SERVER_PROTOCOL = HTTP/1.0

Derived Information:

It appears you are not using Tor
Your Gmail Email Address: xxx@xxx.com
Your Real Email Address: undefined

Browser detection: 

IE7.0 not detected 



JavaScript Version: 1.3
Browser type: Microsoft Internet Explorer
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
.NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
System Language: en-us
Cookies Enabled: true
Application Version: 4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
.NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Platform: Win32
Application Code Name: Mozilla
Application Minor Version: ;SP2;
On line: true
Application Code Name: Mozilla
Java Enabled: true
Your Intranet IP: 
Currently using Internet Explorer and it is your default browser.

 

Firefox plugin detection:  

JavaScript variables: 

Window width = 1001
Window height = 557
Available Screen Height = 960
Available Screen Width = 1280
Color Depth = 32

 

Plug-ins 

Plugin_Flash 

 Version 9 (Version 9,0,28,0) 

Plugin_Flash 

 Version 9 (Version 9,0,28,0) 

Plugin_FlashVerEx  9,0,28,0 

Plugin_Director 

 Not installed 

Plugin_DirectorVerEx 

Plugin_QuickTime 

 Not determinable. Either QT is not installed or a version prior to
4.1.1 is installed. 

Plugin_QuickTimeVerEx  

Plugin_Acrobat 

 Installed (Version 8.0.0) 

Plugin_AcrobatVerEx 

 8.0.0 

Plugin_RealPlayer 

 RealPlayer 10 installed (build 6.0.12.1483) 

Plugin_RealPlayerBuild 

 6.0.12.1483 

Plugin_MediaPlayer 

 Installed (Version 10.0.0.4036) 

Plugin_MediaPlayerVerEx 

 10.0.0.4036 

Plugin_Flip4Mac 

 Not installed 

Plugin_JavaVer 

 Not tested 

Plugin_iPIXViewer 

 Not installed 

Plugin_SVGViewer 

 Not installed 

Plugin_CrystalReports 

 Not installed 

Plugin_Viewpoint 

 Not installed 

Plugin_Authorware 

 Not installed 

Plugin_Mapguide 

 Not installed 

Plugin_Citrix 

 Not installed 

Plugin_Custom 

 Not installed

 

 

 

 

 

 

 

Received on Monday, 11 June 2007 20:41:58 UTC