>I also question the value and wisdom in such an
>implementation by Microsoft... thoughts anyone?

The unfortunate priority ladder/business analysis for MS to implement
something or not goes something like this:

1. Ease of use: This feature requires no input/work from user for
feature to be implemented.
2. convenience: This feature allows admins of intranets and webmasters
of sites to tell users that they are not up2date on patches.

And when we reach the security priority:

10. Security: Allow malicious sites to identify unpatched IE browser and
customize exploits accordingly.

So since there are two positives that are way up on the priority ladder,
and only one negative that is way down on the priority ladder
(security), the negative is disregarded and the feature is implemented.

-----------
Omar Koudsi
IT Architect
Network Security Center
Special Systems Company
http://security.sscjo.com
omarksscjo.com
Tel: (9626) 5664221
Fax: (9626) 5681557

-----Original Message-----
From: dumbwabbit [mailto:dumbwabbityahoo.com]
Sent: Monday, January 07, 2002 6:19 PM
To: focus-mssecurityfocus.com
Subject: IE headers w patch level - new info

The patch information that Internet Explorer displays
in website logfiles may be safely modified to not
reflect current patches applied to the client browser.
The relevant registry key/location is as follows
(wrapped for readability):
Hive:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\
Internet Settings\User Agent\Post Platform
String Value: T312461
Data: "" (empty)

If you modify the NAME of the string value "T312461"
to something else like "CanYouGuessMyIEVersion" then
that text is what will show up in the webserver's
logfiles, under the UserAgent field.
I have NOT tested this for length of the value, but I
have successfully modified and even deleted this value
- all without any apparent or noticeable loss of
functionality on the part of IE. Additionally, after
deleting this value, running both Windows Update and HFNETCHK.exe still
show the machine as fully patched.

Platforms tested on:
Win2k Pro SP2
IE 6.0.2600.0000 fully patched.

Win2k Pro SP2
IE 5.5 SP2 fully patched

I imagine the key/values will be the same on 98, Me,
NT4, XP, but have not verified this.

I found this by searching my Registry for "T312461",
finding it in this location, modifying first the value
(no change) and then the name of the key. You MUST
restart IE for this to take effect.

Additionally, I have discovered that you can create
multiple values here, and have them ALL show up in the webserver's
logfiles if you wish.

Extracts from my webserver logfiles before and after
modifying the registry entries above:

Before:
HTTP/1.0
Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0;+T312461)

After (I have modified the T312461 value to
"ThisWas-T312461" and ADDED a value named
"MSBrowserHere" - type: String, value: ""):
HTTP/1.0
Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0;+MSBrowserHere;+ThisWa
s-T312461)

I also question the value and wisdom in such an
implementation by Microsoft... thoughts anyone?

__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]