4

I know we can detect the major version and SP version from user-agent string.

However, I need to distinguish between Revisions as well, i.e.

2.0 RTM (x86)   2.0.50727.42  
2.0 RTM (Vista) 2.0.50727.312  
2.0 (KB928365)  2.0.50727.832

are different to me, and they get reported in user-agent like this: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; .NET CLR 3.5.30707; InfoPath.1; el-GR)

( http://en.wikipedia.org/wiki/List_of_.NET_Framework_versions )

Any method is acceptable (Silverlight, Flash, Java etc.), as long as it does not require user interaction.

Update: Almost there... Signed .NET ActiveX works on Medium security level (i.e. in Intranet), does not work in Internet setting.

Hosting Windows Forms in IE seems to work the same way. If only I can find how to specify that i don't need high trust to work...

wizzard0
  • 1,883
  • 1
  • 15
  • 38

2 Answers2

0

I believe the only two ways to determine patch level is to either check the file versions themselves or to read a registry key.

Either way, from my limited research (2 minutes) it sounds pretty hard to do. You might be able to write an ActiveX control to do this though.

NotMe
  • 87,343
  • 27
  • 171
  • 245
  • Yes, a simple ActiveX which is a COM-wrapped .NET assembly will do the trick. But the statistics counter which asks the user to launch AX (at least until the cookie is set) is an overkill, IMHO :) – wizzard0 Jan 28 '11 at 20:36
  • 1
    @wizzard0: BTW, as a user I'm not sure I'd like a website I visit to know my patch level. This information could be used by the remote server in order to customize attack code. – NotMe Jan 28 '11 at 20:39
  • Well, I've made a **signed** ActiveX, and while it does the trick, it still pops a warning box the first time you visit the page... :( – wizzard0 Jan 28 '11 at 21:41
0

It's trivial to create a browser applet in .NET. There might be a few security settings in the way, but since you said that any method is acceptable, this should work as well. From there you've got a fully working .NET app embedded in the browser. Just detect the version like you normally would.

Added: I think you could also somehow specify that you don't need full trust, which would ease the security problems.

Vilx-
  • 104,512
  • 87
  • 279
  • 422