Iframe intrusion protection

Discussion in 'other anti-malware software' started by Kees1958, Dec 5, 2009.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi,

    This weekend I have polished my setup of the old slow single core play XP Pro machine. Due to LUA + SRP (deny userspace) + ACL (some HKU registry keys) + Group Policy (locked IE8 for all securiy features + browser extensions + spyware vulnarable settings like start page, seach page etc). With Avast (only behavioral and file shield with no check on open docs) + Keyscrambler free + Windows Firewall, I have pretty much covered everything except Iframe intrusions.

    Do any of you know what free security add-ons, programs this provides:
    I known AVG linkscanner has it, any others (preferably very light programs).

    Note: I do surf with ChromePlus for daily browsing, but do my internet banking with IE8.

    Thanks

    Kees
     
  2. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    Hi Kees,

    why don't you try Proxomitron with sidki ruleset - it works perfect - is free and very light.
    With sidki ruleset Proxomitron by default blocks any flash/time/iframe/etc elements on the websites:
    iframe2.png
    iframe1.png
     
  3. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    618
    IMHO avast's webshield has been very successful against these.
     
  4. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    By what I understand there are at least two free security apparatus that will provide you with Iframe protection, and they are: Comodo Internet Security Suite and Outpost Firewall (free version) with its host protection.

    With the Outpost paid version it is even better by using its web control component and blocking hidden frames. I really do not yet about OA free, but I'm checking it out. I hope that helps.
     
  5. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    Kees1958,
    In Opera you can block/unblock iframes on a per-site basis, having them blocked overall previously.
    In IE8 - it works by the zones:
    Security, pick Internet zone, custom settings. Start scrolling through the long list.Under Miscelaneous is a "Launching programes and files in IFRAME" - can be set to Disable. Similar setting for Trusted zone. Would that do what you need? Or are you asking for something more difficult/exotic/serious than this (in which case I can't possibly answer, no skills.)

    For new people trying to learn (me), I would not mind hearing few detailed explanations here :)
     
  6. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    Creer, what's supposed to happen when click any of your links in the display you showed above (not in the Attachement links shown in thise quote)? Or what's not supposed to happen please.
     
  7. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    Well i know for sure that noscript handles them wonderfully.plus its as customisable as it gets,as to what you control to be shown..and iirc proxomitron is another great option.whatever fits your needs mate.cheers
     

    Attached Files:

  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Guys, thanks

    It thanks for suggesting other browsers, but IE8 can be trimmed to your security wishes when you run XP Pro and have group policy editor.

    Act8192,

    I found the group policy rule to allow/warn/block against executable code in Iframe's. I will set it up in policy template (depending on the zone), thanks a lot.


    VLK

    First compliments to your avast5, it is the only AV I used which does check on execute (besides check on write). The transiniant and persistant cache work very well. When using the OS its protection only, it is all cached in the persstant cache, so no slow down on this single core PC (that is why I was playing with LUA+SRP+ACL+group policy).
    Secondly, I thought Webshield was just a blacklist mechanism, does it doe some proactive checking on Iframes?

    @All

    Thanks for your suggestions

    Regards Kees
     
    Last edited: Dec 6, 2009
  9. SafetyFirst

    SafetyFirst Registered Member

    Joined:
    Jan 26, 2007
    Posts:
    462
    Can anybody explain how to block iframe in Google Chrome browser, please?

    (I know, I know, if I'm worried about privacy I shouldn't be using Google Chrome in the first place :rolleyes: )
     
  10. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The default Proxomitron rules have an option that converts iframes to links. Open them only if you want to.

    I don't know if Chrome can be set to connect through a local proxy. If it can be, Proxomitron will work.
     
  11. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    406
    noscript only provides a checkbox. By forbidding iframes, you'll wreck the page display for many legitimate sites.

    Via one or several proxomitron filters targeting iframe tags, you can employ fine-grained control. For example:

    only disturb iframe on a specific site, based on its content:

    URL = "[^/]++.deviantart.com/"
    Match = <iframe*(ads.deviantart.com|adclick.php|adframe.php)*</iframe>"

    only disturb iframe on a specific site (note -- iframe is created by an embedded script):

    URL = "[^/]++.ebay.com/"
    Bounds = "<script*</script>"
    Limit = 4096
    Match = "*writeSearchAd*"
    Replace = "\n<!-- ======== ad iframe nixed ======== -->\n"

    resize/shrink iframe on a specific site
    (note -- removing the iframe entirely or disabling scripting within iframe will break jigzone pages):

    URL = "[^/]++jigzone.com/"
    Bounds = "<iframe*>"
    Match = "\1 height=$AVQ(\3) \2"
    Replace = "\1 height='1' \2"

    any site: convert iframe to link

    Bounds = "<iframe*</iframe>"
    Match = "<(iframe|ilayer)\0*src=$AVQ(\1)*"
    Replace = "<font size=1><a target=_blank href=\1 >[\0]</a></font>"


    Dealing with the issue via proxomitron can provide a solution across all browsers ;)
     
  12. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    When I click on iFrame then iFrame will open.
    It works very similar to flash objects e.g. on youtube - then there will be flash objects, to play I have to click on the "box" called Flash.
     
  13. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Use chromeplus or iron. These are chrome variants without the privacy issues. chrome plus has some nice extra options
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Note that this prevents the content of the i-frame from displaying in the web page. However, code may or may not run, depending on what it is.

    I upload check.js, and create a HTML page with inline frame code:

    Code:
    <i frame src="http://www.urs2.net/rsj/check.js"></i frame>
    

    I disable inline frames for the page:

    [​IMG]

    This prevents contents of the .js file from being displayed as an inline frame, however, the file still caches:

    opera-i-frame.gif

    The file cannot execute automatically, of course, but this shows that code in an i-frame can run in this situation and cache a potentially malicious file.

    ----
    rich
     
  15. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    Hi Rmus,

    after entering on page: http://www.urs2.net/rsj/check.js
    I see this (Opera browser, IFrame enabled - running Proxomitron with sidki ruleset):
     
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Thanks to ACT8192, I get a warning through enforced Group Policy, when navigating to that web address (thanks Rich for providing)
     

    Attached Files:

  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Note that the test is not to navigate directly to the .js file, but to have it attempt to load using i-frame, as I showed above.

    Some security solutions will block the file from executing, yet still allow the page to cache.

    You should check your browser cache following the test.

    Note, as I mentioned in my earlier post, if the file fails to load in the i-frame, yet still caches, it won't run automatically of course. But this is just to show that the file has intruded, which was the title of Kees' thread.


    ----
    rich
     
  18. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Thanks rich, it was not cached.
     
  19. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    why is it that you do banking with IE8, although chromeplus has IE tabs?
     
  20. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Keyscrambler free for IE8
     
Loading...
Thread Status:
Not open for further replies.