What? I was trying to access my bank’s web page but instead of the page I was presented with this message. Is the web site down? Nope, doesn’t seem to be. It pings with no problem. I’m firing up the Firefox, and voila – the web page appears before my eyes. Is something wrong with the IE? Did I unknowingly install a rogue browser extension, spyware or adware? The fact that it’s a bank’s site made me suspicious.
Or is it just IE8? I’m trying compatibility mode – nope, the same result. Trying IE8 from another machine. Works like a charm! This is starting to look very troubling. OK, it’s time for serious investigation.
Perhaps Autoruns can tell me what’s going on? It’s a Sysinternals tool. I’m looking through IE BHO’s, Winsock providers, other stuff that’s in there. Nothing stands out. Everything looks normal.
Perhaps it’s the anti-virus? Or Vmware network services? Shutting everything down. Still nothing.
OK, let’s take a look at what happens at the network level. Launching the Wireshark. Capturing some network packets and what am I seeing? IE8 sends a DNS query for the bank’s site. The query resolves OK. Then it establishes the connection: SYN, SYN+ACK, ACK – so far so good. Then it sends HTTP GET. And the very next packet it receives from the site is RST. No wonder it can’t display the web page! The site just drops the connection.
I’m relieved. At least it’s not a spyware.
But why the hell it drops the connection on IE8 whereas Firefox works just fine? It must be something with the User Agent string. I’m looking at the string and I can’t believe how long it is. There’s all sorts of crap in there:
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.2; .NET CLR 1.1.4322; Origami Experience 1.1; .NET CLR 3.5.21022; Zune 3.0; .NET CLR 3.5.30729; .NET CLR 3
In fact, it’s so long the IE doesn’t even send the whole string.
Time to fix it. I quickly find the user agent in the registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent]
Delete everything leaving just a single entry for CLR 2 and CLR 3. Restart the IE. And… Tada! The web page displays correctly.
So the user agent string was too long for the web server to handle. Maybe it thought I was trying to DoS it? Or better yet, it was running into a buffer overflow. I don’t know. But it certainly looks like a bad piece of software that site runs on.
1 comment:
your entry has helped me to solve a similar problem. Thanks!
Post a Comment