topic Re: IE 7 code injection - CSA tune in Network Security

IE 7 code injection - CSA tune

Thor-Ryan — Sun, 10 Mar 2019 10:17:31 GMT

I'm running CSA 451 r649.

IE 7 likes to inject code from IEFRAME.DLL into all processes when a user clicks on one of the drop-down menus in the IE 7 GUI.

We need a better solution than the default query rule triggered in the example below, since CSA caches the user response and for the next hour iexplore.exe will be allowed to inject code from anywhere into other apps.

Does anyone have a secure dyno-tune they can share that would allow the following behavior?

"The process 'C:\Program Files\Internet Explorer\iexplore.exe' (as user MYPC\User) attempted to insert code ('C:\WINDOWS\system32\IEFRAME.dll') into another process. All processes were targeted. The user was queried and a 'No' response was received."

Re: IE 7 code injection - CSA tune

scothrel — Tue, 24 Oct 2006 15:31:07 GMT

I don't have a tuning for you, but I can tell you what its doing (I reported the issue to Microsoft back in July...after much back and forth, they determined it was "external" to IE and not their problem). The code injection enables the drop-down menus in IE7. Examples are the Favorites button in the upper left and the "Page" and "Tools" buttons in the upper right. You can see this if you answer the "allow this?" query with "No, and kill the process"...you'll see IE7 die after the first access to the buttons.

BTW: I don't work with the CSA team, I was asked to check out IE7 with IDM and IEV for the IPS product.

Scott

Re: IE 7 code injection - CSA tune

Thor-Ryan — Thu, 26 Oct 2006 18:52:49 GMT

I also contacted the IE 7 beta team, documented the issue for them, and they claimed it was a problem with CSA.

Re: IE 7 code injection - CSA tune

tsteger1 — Thu, 26 Oct 2006 19:11:33 GMT

I don't seem to be getting this event with either CSA 4.0.3 or 5.1. Is it specific to 4.5.x?

Thanks

Tom S

Re: IE 7 code injection - CSA tune

RichardSW — Thu, 26 Oct 2006 20:33:06 GMT

Coincidentally, a co-worker of mine had a popup blocker on his local machine, which does not have CSA installed. It kept warning about IEFRAME.DLL trying to open a Trusted Site. I highly doubt this is a CSA issue, but rather a weird technique the MS programmers are using. I'm sure there will be many flaws found for that dll when IE7 goes mainstream.

Re: IE 7 code injection - CSA tune

Thor-Ryan — Fri, 27 Oct 2006 17:53:05 GMT

Good question. We only run 4.51 here. Has anyone else experienced this on 4.03 or 5.0/5.1?

Re: IE 7 code injection - CSA tune

nodayoda3k — Thu, 02 Nov 2006 09:38:47 GMT

I confirm, same with 5.1-74.

Re: IE 7 code injection - CSA tune

tsteger1 — Mon, 06 Nov 2006 05:28:14 GMT

Same error or no error?

Re: IE 7 code injection - CSA tune

nodayoda3k — Mon, 06 Nov 2006 08:01:05 GMT

Same warning from CSA 5.1 about iframe injecting.

Re: IE 7 code injection - CSA tune

tsteger1 — Mon, 06 Nov 2006 22:06:25 GMT

I am curious about what is different in my setup. I have all desktop type policies enabled and am not in test mode. I installed over a customized version of IE6.

I am running IE 7 (released version) on CSA 4.0.3-737 and 5.1-074 on Windows XP SP2 fully patched machines and do not get these messages.

What is the rule description and type that is triggering these messages?

What version of IEframe.dll? (I have 7.0.5730.11)

Did these machines have the a pre-release version of IE7 installed?

Thanks

Tom S

Re: IE 7 code injection - CSA tune

scothrel — Tue, 07 Nov 2006 19:06:44 GMT

In my case, yes...it was a prerelease version of IE 7 installed over XP-SP2.

Re: IE 7 code injection - CSA tune

tsteger1 — Tue, 07 Nov 2006 23:25:54 GMT

We had several issues with pre-release versions that we don't have in the released version.

Re: IE 7 code injection - CSA tune

Thor-Ryan — Wed, 08 Nov 2006 01:06:05 GMT

I have experienced this issue with the final release of IE 7 on WinXP SP2, fully patched, running CSA 4.51 r649.