- From: Doyle, Bill <wdoyle@mitre.org>
- Date: Mon, 11 Jun 2007 16:41:46 -0400
- To: "Web Security Context WG" <public-wsc-wg@w3.org>
- Message-ID: <518C60F36D5DBC489E91563736BA4B58018149B2@IMCSRV5.MITRE.ORG>
In the current user agent environment, security details and privacy information can be extracted by a web site without the user's permission or knowledge. The user agent environment and many privacy details are readily available to a web site. The information can used to support the compromise of a user's security posture in several ways; two methods are included below. 1. The operating environment details (e.g. User Agent info. Plug-ins, Email addresses) can be presented back to a user in order to make a malicious web site appear friendly such as a previously visited site or a site trying to help the user. A malicious site can use this information to further compromise of the user's security posture by making the user make incorrect downstream security decisions. a. Links to update software or software to fix operating environment that actually contain additional malware. b. Email (gained by the site) can be used to send to the user links that need to be immediately acted upon. The email can be designed to further confuse the user and gain additional privacy information or account details. 2. A web site can make use of critical flaws in the User Agent environment that can lead to complete compromise of the users operating environment allowing remote code execution. A malicious web site can compromise the users operating environment without any user interaction besides taking the initial link that lead them to the site. Exploits include the following components. a. Plug-ins b. User Agent itself Sample operating environment and user agent details given to a web site is listed below. Information with bold x was valid information determined by a web site but blocked from further distribution. Because application and version information is provided by User Agent to a web site, a malicious web site can determine if it has a exploit that matches any of the user agent software components and proceed to compromise the user agent if a match is found. Environmental variables: HTTP_ACCEPT = */* HTTP_ACCEPT_LANGUAGE = en-us HTTP_CACHE_CONTROL = max-age=259200 HTTP_CONNECTION = keep-alive HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) HTTP_VIA = 1.0 xxxxx.xxx.xxx:80 (squid/2.5.STABLE6) HTTP_X_FORWARDED_FOR = xxx.xx.xxx.xx REMOTE_ADDR = xx.xxx.xx.xx REMOTE_PORT = xxxxx REQUEST_METHOD = GET SERVER_PROTOCOL = HTTP/1.0 Derived Information: It appears you are not using Tor Your Gmail Email Address: xxx@xxx.com Your Real Email Address: undefined Browser detection: IE7.0 not detected JavaScript Version: 1.3 Browser type: Microsoft Internet Explorer User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) System Language: en-us Cookies Enabled: true Application Version: 4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) Platform: Win32 Application Code Name: Mozilla Application Minor Version: ;SP2; On line: true Application Code Name: Mozilla Java Enabled: true Your Intranet IP: Currently using Internet Explorer and it is your default browser. Firefox plugin detection: JavaScript variables: Window width = 1001 Window height = 557 Available Screen Height = 960 Available Screen Width = 1280 Color Depth = 32 Plug-ins Plugin_Flash Version 9 (Version 9,0,28,0) Plugin_Flash Version 9 (Version 9,0,28,0) Plugin_FlashVerEx 9,0,28,0 Plugin_Director Not installed Plugin_DirectorVerEx Plugin_QuickTime Not determinable. Either QT is not installed or a version prior to 4.1.1 is installed. Plugin_QuickTimeVerEx Plugin_Acrobat Installed (Version 8.0.0) Plugin_AcrobatVerEx 8.0.0 Plugin_RealPlayer RealPlayer 10 installed (build 6.0.12.1483) Plugin_RealPlayerBuild 6.0.12.1483 Plugin_MediaPlayer Installed (Version 10.0.0.4036) Plugin_MediaPlayerVerEx 10.0.0.4036 Plugin_Flip4Mac Not installed Plugin_JavaVer Not tested Plugin_iPIXViewer Not installed Plugin_SVGViewer Not installed Plugin_CrystalReports Not installed Plugin_Viewpoint Not installed Plugin_Authorware Not installed Plugin_Mapguide Not installed Plugin_Citrix Not installed Plugin_Custom Not installed
Attachments
- image/gif attachment: atta269b.gif
Received on Monday, 11 June 2007 20:41:58 UTC