http://blogs.msdn.com/david_leblanc/archive/2008/07/01/lies-damn-lies-information-leaks-and-statistics.aspxRobert Hensing posted some criticism of a study that purported to analyze how many users are at risk due to using out of date or unpatched browsers. Rob rightfully points out that you can actually be running a very old version of IE (depending on OS),en-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.msdn.com/david_leblanc/archive/2008/07/01/lies-damn-lies-information-leaks-and-statistics.aspx#8678734Wed, 02 Jul 2008 00:27:55 GMT91d46819-8472-40ad-a661-2c78acb4018c:8678734Alun Jones<P>There are some issues with your assertion that disclosing minor version numbers is a security issue.</P> <P>1. For some time, generally after the major versions are first released, the major version number _is_ the minor version number.</P> <P>[dcl] We can't avoid all information leaks, just the ones that aren't needed.</P> <P>2. Have you seen attacks that query for the version number and use that to select which exploit to use? I realise that browsers are clients, and I spend much time in server-land, but I've seen exploits attempted that aren't even for the same protocol or platform, let alone the same version number, as the server they have reached. Clearly, the majority of attacks simply try "whatever exploit we have on hand", without regard to version number checking. (This is a slightly circular argument, since of course they can't check version numbers if they don't have them)</P> <P>[dcl] Yes, I've written them. Some people write really dumb exploits. Personally, I prefer to only attack things when I know it will work. Sets off fewer IDS sensors that way.</P> <P>3. Attackers are aware that, even when a version number is given them, it may be a lie designed to conceal weaknesses. Therefore they ignore version information, and use fingerprinting instead.</P> <P>[dcl] Sure, but if they're lying to you, they've probably applied all the patches, and you're not getting anywhere anyway, AND they watch their logs. Fingerprinting doesn't always work - there has to be some side-effect of the version that can be noticed.</P> <P>4. Version information can be useful to a peer, to allow them, say, to generate responses that will be parsed correctly on different versions that contradict one another in their interpretation of standards.</P> <P>[dcl] So then you need a document version, not an app version. Document versions change less frequently than patch levels.</P> <P>I'm sure I could come up with more, given time.</P> <P>[dcl] Keep them coming - I'm not convinced by any of these.</P> <P>Of course, if you have a flawed version of a program, the best answer is not to hide the version information, but to fix or work around the flaw.</P> <P>[dcl] Well, sure, but you wouldn't want a big neon sign on your front door stating locked/unlocked, would you? Don't give attackers information that isn't absolutely required.</P> <P>&nbsp;</P>http://blogs.msdn.com/david_leblanc/archive/2008/07/01/lies-damn-lies-information-leaks-and-statistics.aspx#8704780Tue, 08 Jul 2008 01:58:33 GMT91d46819-8472-40ad-a661-2c78acb4018c:8704780david_leblanc<p>Posting for Larry Seltzer:</p> <p>Feel free to post this as a comment to the entry. You may have seen my own column on this (<a rel="nofollow" target="_new" href="http://www.eweek.com/c/a/Security/Who-Is-Running-The-Most-Secure-Browser/">http://www.eweek.com/c/a/Security/Who-Is-Running-The-Most-Secure-Browser/</a>)</p> <p>My own IE7 USER-AGENT, as I describe it in the column, is this:</p> <p> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2; MS-RTC LM 8)</p> <p>There’s no browser minor version, but there is a lot of detail not usually necessary for a web server, such as the security components thing, the Live Meeting version, the CLR version, including minor version. Isn’t Microsoft being inconsistent here?</p> <p>[dcl] This is an area where you will see some inconsistencies. As you may have noted from Alun Jones’ comments, not everyone here agrees with me on this. Even if they did, it would take some time to get all of them fixed. </p> <p>You might note that the Office component only advertises major version.</p> http://blogs.msdn.com/david_leblanc/archive/2008/07/01/lies-damn-lies-information-leaks-and-statistics.aspx#8732245Tue, 15 Jul 2008 00:37:33 GMT91d46819-8472-40ad-a661-2c78acb4018c:8732245Alun Jones<P>Please don't take David's note "As you may have noted from Alun Jones' comments, not everyone here agrees with me" as a suggestion that I work at Microsoft - I don't.</P> <P>But yeah, people inside and outside of Microsoft disagree with David on this and other issues. On most of those issues, David's spot on - and I certainly hide minor versions from unauthenticated connections to my server.</P> <P>I don't see it as necessary, but I do it because it's easier to satisfy a customer's request than it is to try and persuade them they're wrong.</P> <P>I don't think it's likely to hurt much, but there's always the possibility that I've changed some piece of functionality in a patch release that might warrant having a client detect the change by querying the minor version number.</P>