IE Disclosure


Internet Explorer 6.0 (and possibly other versions) reveal details of software installed on your system. When you fetch a website, IE sends a request like this:

GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: rs1_d12bc2c9e67;q=0.0,rs2_84605b65e8e;q=0.0,rs3_06a7e579f2;q=0.0
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: Keep-Alive

It is the "Accept:" header that is the problem. If you have all of Office installed, then the accept header looks like this:

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/, application/, application/msword, */*

So, completely hidden from you, IE is revealing whether you have Excel, PowerPoint or Word installed, to every website you visit.

Is this a bug?

I'm sure that Microsoft could completely justify this design as being useful. For example it lets servers return different document types depending on what the client can read. However, I think this is leaking far too much information about your system. The information may even be useful to hackers, as there have been security problems with these programs in the past, e.g. macro viruses.

I can only speculate at what information is leaked in the cryptic-looking "Accept-Language:" header.


Fortunately you can stop the information leakage quite easily, by editing the registry. Just delete the affected keys from this branch:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Accepted Documents

The solution comes from this article on Kimihia.

© 1998 - 2012 Paul Johnston, distributed under the BSD License   Updated:15 Dec 2007