Saturday, April 26, 2008

Fun with beta testing or NOT :)

Microsoft Security Response Center

Email corespondents


Hello
> The following is a security recommendation for the following address and domain:
> healthvault.com
> If you run an analysis using web-based networking tools such as Netcraft, healthvault.com discloses the version of web-server software is assigned to that address and the load balancer as the OS in a lot of cases. Since this service is going to be hosting private health information, it should disclose as few configuration specs as possible. The best case scenario is that it would show up as "unknown". For the record, if you ask why I am emailing you about a minor configuration issue, having such information could be used as reconnaissance for possible deeper penetration in the future. If you require more information, please let me know.
> Thanks
> msdogfood@hotmail.com

---------------------------------------------------------------------------------------




Just a quick introduction, I'm the MSRC case manager who will be looking after this investigation moving forward.
> First of all thanks for reporting this to Microsoft responsibly we appreciate your effort in doing so.
> Right at the moment the product team is investigating your report and I hope to have some feedback fairly soon.
> In the meanwhile if you have any questions or more information please don't hesitate to contact me by replying to this email.
> I look forward to working with you on this investigation.
>
>
> Kind Regards,


----------------------------------------------------------------------------




My info & my problem.


This information was given out by the web server.



This is the output forum netcraft
http://toolbar.netcraft.com/site_report?url=http://www.healthvault.com


Hosting History
Netblock Owner IP address OS Web Server Last changed
Microsoft Corp One Microsoft Way Redmond WA US 98052 <http://toolbar.netcraft.com/netblock?q=MICROSOFT-1BLK,65.52.0.0,65.55.255.255> 65.55.193.143 F5 Big-IP Microsoft-IIS/6.0 4-Oct-2007



Microsoft Security Response Center - emails me back
with this...


After further investigation, the information that we received from HTTP response does not contain any unnecessary disclosure of information. Some information is okay and expected to be disclosed as while it may give a specific version information and potentially assist in reconnaissance. Version and application information are okay for the webserver or any other webfacing system. We would be more concerned if information was being disclosed contained database server information or any personally identifiable information such as passwords, etc.

Therefore this is not a security vulnerability and we are going to close this case. In the future, if you find any specific health information or disclosure of SQL tables, etc. please let us know.

Thanks again for your report and please let me know if you have any further question or concern.
------
My last email to Microsoft Security Response Center
Hi

Thank you for the email back
Thank you as well for looking into this.

I will say however that is it better if web server OS Version information is not disclosed.
yes i do know that some information needs to be disclosed but Version information that is optional

Regards,