Tuesday 28 August 2007

Internet Explorer - Surreptitious Entry in the User Agent String

What does the Internet Explorer User Agent String say?

You can check it here: User Agent String.com.

By default on XP IE 7:


Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Okay, so it tells us that the browser is IE 7, on Windows XP and it has the three versions of .NET installed.

By default on Windows Vista IE 7:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)
Again, it is quite simple. We have IE 7 as a browser, Vista as the OS, something about SLCC1, and the .NET components.

Now, what do we have here:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; TheFreeDictionary.com; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.04506.30)
We have it seems, some free advertising for a particular Web site going on. Somehow, whether by software install, spyware or malware install, the above .com site is in the User Agent String that IE shows to the world.

The InfoPath entry would have come by an InfoPath install.

To get rid of any unwanted entries, navigate to the following locations in the registry:

Windows XP:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
Windows Vista:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
Delete the offending key and close all IE windows. Open an IE session again and navigate to User Agent String.com and verify that it is gone.

It only seems fair that the offending site ask permission for their name to be carried around the Internet. If the offending entry's permission came via some small print in a Terms & Conditions somewhere, then this situation demonstrates why we should be reading them!

This is one more little indicator for us to use to keep an eye on system health and integrity.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

No comments: