Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IE 7 code injection - CSA tune

I'm running CSA 451 r649.

IE 7 likes to inject code from IEFRAME.DLL into all processes when a user clicks on one of the drop-down menus in the IE 7 GUI.

We need a better solution than the default query rule triggered in the example below, since CSA caches the user response and for the next hour iexplore.exe will be allowed to inject code from anywhere into other apps.

Does anyone have a secure dyno-tune they can share that would allow the following behavior?

"The process 'C:\Program Files\Internet Explorer\iexplore.exe' (as user MYPC\User) attempted to insert code ('C:\WINDOWS\system32\IEFRAME.dll') into another process. All processes were targeted. The user was queried and a 'No' response was received."

12 REPLIES
Cisco Employee

Re: IE 7 code injection - CSA tune

I don't have a tuning for you, but I can tell you what its doing (I reported the issue to Microsoft back in July...after much back and forth, they determined it was "external" to IE and not their problem). The code injection enables the drop-down menus in IE7. Examples are the Favorites button in the upper left and the "Page" and "Tools" buttons in the upper right. You can see this if you answer the "allow this?" query with "No, and kill the process"...you'll see IE7 die after the first access to the buttons.

BTW: I don't work with the CSA team, I was asked to check out IE7 with IDM and IEV for the IPS product.

Scott

New Member

Re: IE 7 code injection - CSA tune

I also contacted the IE 7 beta team, documented the issue for them, and they claimed it was a problem with CSA.

New Member

Re: IE 7 code injection - CSA tune

Coincidentally, a co-worker of mine had a popup blocker on his local machine, which does not have CSA installed. It kept warning about IEFRAME.DLL trying to open a Trusted Site. I highly doubt this is a CSA issue, but rather a weird technique the MS programmers are using. I'm sure there will be many flaws found for that dll when IE7 goes mainstream.

Blue

Re: IE 7 code injection - CSA tune

I don't seem to be getting this event with either CSA 4.0.3 or 5.1. Is it specific to 4.5.x?

Thanks

Tom S

New Member

Re: IE 7 code injection - CSA tune

Good question. We only run 4.51 here. Has anyone else experienced this on 4.03 or 5.0/5.1?

New Member

Re: IE 7 code injection - CSA tune

I confirm, same with 5.1-74.

Blue

Re: IE 7 code injection - CSA tune

Same error or no error?

New Member

Re: IE 7 code injection - CSA tune

Same warning from CSA 5.1 about iframe injecting.

Blue

Re: IE 7 code injection - CSA tune

I am curious about what is different in my setup. I have all desktop type policies enabled and am not in test mode. I installed over a customized version of IE6.

I am running IE 7 (released version) on CSA 4.0.3-737 and 5.1-074 on Windows XP SP2 fully patched machines and do not get these messages.

What is the rule description and type that is triggering these messages?

What version of IEframe.dll? (I have 7.0.5730.11)

Did these machines have the a pre-release version of IE7 installed?

Thanks

Tom S

Cisco Employee

Re: IE 7 code injection - CSA tune

In my case, yes...it was a prerelease version of IE 7 installed over XP-SP2.

Blue

Re: IE 7 code injection - CSA tune

We had several issues with pre-release versions that we don't have in the released version.

New Member

Re: IE 7 code injection - CSA tune

I have experienced this issue with the final release of IE 7 on WinXP SP2, fully patched, running CSA 4.51 r649.

236
Views
17
Helpful
12
Replies
CreatePlease login to create content