[Pidgin] #2264: Jabber: Client and OS version visible to authorized buddies

Pidgin trac at pidgin.im
Thu Jul 26 16:41:12 EDT 2007 

#2264: Jabber: Client and OS version visible to authorized buddies
---------------------------+------------------------------------------------
  Reporter:  alexkon       |       Owner:                   
      Type:  defect        |      Status:  closed           
  Priority:  minor         |   Milestone:                   
 Component:  pidgin (gtk)  |     Version:  2.0.2            
Resolution:  invalid       |    Keywords:  security, privacy
   Pending:  0             |  
---------------------------+------------------------------------------------
Comment (by alexkon):

 Replying to [comment:2 khc]:
 > d) the attacker can just try all the recent vulnerabilities, and see
 which one works

 > I don't see how this is a bug. Are you suggesting that if we hide that
 information, attackers would just give up?

 Of course hiding the version doesn't protect from any remote
 vulnerabilities. I didn't say that it did. Hiding the version makes it
 harder to conceal the attacks.

 Consider the worm example (a). If the version number of a client is not
 known, the worm has to guess which exploit to try. When it guesses wrong,
 the victim won't be infected, but the client attacked may crash or
 indicate that something is going wrong (by showing garbage to the user,
 for example). On the contrary, when the version number and the
 architecture are known, the worm can target its exploits perfectly and
 thus is going to stay unnoticed for a longer period of time.

 From that point of view the examples might make more sense to you now.

 Limiting the information disclosure to authorized users doesn't add much
 protection. A determined attacker can trick most users into authorizing
 him, and even a bot can do a good job of persuading people to authorize
 it. Worms don't have the problem of being authorized at all.

 [[BR]]
 > Oh, and your CVE link is broken, and it doesn't seem like the number is
 valid.

 The CVE link works now, although there is no content there yet. I hastened
 to post a link before it was ready, sorry for that. If you would like to
 know when they are going to add a description and a link back to here on
 the CVE page, I can ask the editors. I guess their process is not fast,
 especially for minor issues such as this.

 [[BR]]
 Please tell me if you still can't see the risk of reporting those system
 details to strangers.

-- 
Ticket URL: <http://developer.pidgin.im/ticket/2264#comment:3>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list