10-23-2006 01:31 PM - edited 03-10-2019 03:17 AM
I'm running CSA 451 r649.
IE 7 likes to inject code from IEFRAME.DLL into all processes when a user clicks on one of the drop-down menus in the IE 7 GUI.
We need a better solution than the default query rule triggered in the example below, since CSA caches the user response and for the next hour iexplore.exe will be allowed to inject code from anywhere into other apps.
Does anyone have a secure dyno-tune they can share that would allow the following behavior?
"The process 'C:\Program Files\Internet Explorer\iexplore.exe' (as user MYPC\User) attempted to insert code ('C:\WINDOWS\system32\IEFRAME.dll') into another process. All processes were targeted. The user was queried and a 'No' response was received."
10-24-2006 08:31 AM
I don't have a tuning for you, but I can tell you what its doing (I reported the issue to Microsoft back in July...after much back and forth, they determined it was "external" to IE and not their problem). The code injection enables the drop-down menus in IE7. Examples are the Favorites button in the upper left and the "Page" and "Tools" buttons in the upper right. You can see this if you answer the "allow this?" query with "No, and kill the process"...you'll see IE7 die after the first access to the buttons.
BTW: I don't work with the CSA team, I was asked to check out IE7 with IDM and IEV for the IPS product.
Scott
10-26-2006 11:52 AM
I also contacted the IE 7 beta team, documented the issue for them, and they claimed it was a problem with CSA.
10-26-2006 01:33 PM
Coincidentally, a co-worker of mine had a popup blocker on his local machine, which does not have CSA installed. It kept warning about IEFRAME.DLL trying to open a Trusted Site. I highly doubt this is a CSA issue, but rather a weird technique the MS programmers are using. I'm sure there will be many flaws found for that dll when IE7 goes mainstream.
10-26-2006 12:11 PM
I don't seem to be getting this event with either CSA 4.0.3 or 5.1. Is it specific to 4.5.x?
Thanks
Tom S
10-27-2006 10:53 AM
Good question. We only run 4.51 here. Has anyone else experienced this on 4.03 or 5.0/5.1?
11-02-2006 01:38 AM
I confirm, same with 5.1-74.
11-05-2006 09:28 PM
Same error or no error?
11-06-2006 12:01 AM
Same warning from CSA 5.1 about iframe injecting.
11-06-2006 02:06 PM
I am curious about what is different in my setup. I have all desktop type policies enabled and am not in test mode. I installed over a customized version of IE6.
I am running IE 7 (released version) on CSA 4.0.3-737 and 5.1-074 on Windows XP SP2 fully patched machines and do not get these messages.
What is the rule description and type that is triggering these messages?
What version of IEframe.dll? (I have 7.0.5730.11)
Did these machines have the a pre-release version of IE7 installed?
Thanks
Tom S
11-07-2006 11:06 AM
In my case, yes...it was a prerelease version of IE 7 installed over XP-SP2.
11-07-2006 03:25 PM
We had several issues with pre-release versions that we don't have in the released version.
11-07-2006 05:06 PM
I have experienced this issue with the final release of IE 7 on WinXP SP2, fully patched, running CSA 4.51 r649.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: