On 27/08/07, Kees Cook wrote: > Each Linux distribution has a very limited set of possible kernel > versions. It is nearly trivial to guess at someone's kernel version.
Well, there is a limited number of possible hardware architectures, operating systems, and software versions. If the attacker can afford guessing, this "feature" of Pidgin is indeed useless for him. However, there are two possible uses for knowing the victim's configuration *exactly* in advance: hiding the attacker's activity and increasing the success rate of one-shot exploits (for worms). Details can be found in the "Sample attack schemes" section of my original report. > Also, "4. Authorize the attacker from the victim client." requires the > victim do some work to help the attacker. :) That's good but it doesn't add too much protection, as I argue in the original report. > I don't find this to be a significant "information disclosure". Frankly, I don't consider this a significant information disclosure either. It's an insignificant one. :-) Most importantly, I'd like to make sure that this issue is not ignored and will be eventually fixed. -- Jabber: Client and OS version visible to authorized buddies https://bugs.launchpad.net/bugs/128159 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
