Interesting read on iFrame exploits

On Feb. 27th, a site I visit daily had an iFrame exploit placed on the site. He wrote an easy to read article on it and I thought it was interesting. Enjoy .
http://windowssecrets.com/2008/03/06/woody

 

Nice article with a bit of technical info. It also shows you how to spot IFRAMES trying to pull content from malicious servers. If you're using NoScript + Firebug and see an IFRAME with tons of garbage inside it (lots of characters, random numbers, etc), run away from that site.
You can also block them forever with NoScript.

 

Thanks. You've also reminded me to take some time and get more familiar with NoScript. What effect would blocking IFRAME have on normal browsing. The article mentions that it could be used for ads. Should I just give it a try for a while? I understand that my trusted sites won't be blocked.

 

I think so. In my experience, blocking IFRAMES never resulted in breaking some site's features. It seems that IFRAMES are mainly used to pull content from 3rd-party sites.
Remember that NoScript is your first layer of security. If it's used properly:
- Malicious IFRAMES won't pull malicious content.
- Malicious scripts won't trigger vulnerable functions.
- Malicious websites won't load/execute plug-ins which may have known (in the case of a outdated version) or unknown (in the case of a 0-day) vulnerabilities.
- You'll get the most advanced XSS protection (mostly theoretical at this time I would say)

 

Thanks, I'll give it a try. That makes all five boxes ticked now . I also have to keep reminding myself that most of the time, the malicious content is looking for a hole in unpatched software. If it's a new nasty and finds a hole, then Sandboxie should contain it. I'm really starting to get a grip on my layers . Thanks Lucas.

 

Have had NoScript for a long time and never noticed the IFrame box (DUH!).
Thanks for the info and, so far, have not noticed any negatives while browsing. The question I have; is an IFrame that is blocked by NoScript the same thing as the frames you would see listed when you open up the blockable items list in Adblock plus?

 

There is a bit of overlap between them, but ABP will block ad-related material while NS will block all content.

Correct. Holes in unpatched software, software misconfiguration (example: set IE to install all ActiveX), malicious downloads (cracks, software of dubious origins, untrusted download sites, "free screensavers", IM add-ons, etc) and social engineering ("launch this file", "install this codec", "you're infected, click this link to clean up", "see my picture", "naked girls, click here") are the main vectors of infections. And this malicious content rarely appear on "mainstream" sites (unless they get hacked)
0-day exploits (i.e. the bad guys discover a vulnerability which is unknown to the software vendor or a vulnerability w/PoC is acknowledged by a vendor before the releasing of a patch) are rare.
That's why I always like to link to this article

Correct.

Very good. The concept of layers refers to how many doors a sample of malware must open in order to infect a machine and survive. You can have a good number of strong doors (common sense, NoScript, patched software, LUA, data backups, imaging, etc) without even using security software.
You can see this concept of "doors" in threads like this "My AV says that I have TrojanDownloader.xx in the TIF folder. Am I infected?" You may be infected, but there are high chances that you're clean because that malware might not have opened the necessary doors (poorly coded malware, exploiting a patched vulnerability, DEP, the AV nailed it, etc)

 

Thanks! I need to take the time and read that article. My main internet activities are browsing and streaming radio with winamp. I'm covered well in that area so my main danger comes from downloads but I take the usual precautions.

Your link was a very good read and as usual, you post great, easy to understand information. Thanks for your help and your posts . They should be required reading

innerpeace

 

Thanks I put a little work on them, because I like to show all the information available in a concise manner. It's frustrating (at least for me) to get the information in tiny pieces distributed everywhere.

LOL, I don't think that but it's nice to see that my "work" (fighting with English words and grammar ) is appreciated.

 

Your welcome. It's easy to see the effort you put in your posts. I think you help more people than you could imagine.

Well I think so and I do appreciate your "work". Also, don't worry about your English, it is perfect.

Cheers,
innerpeace

 

Blocking I-Frames can break a few sites. I use Proxomitron to block them globally, while permitting only the ones on a certain Proxomitron list. So far there aren't many on the list. One for example is kijiji.ca. If you block I-Frames here, then change the city, you lose the catagory you were in.