IE 7 code injection - CSA tune

Thor-Ryan · ‎10-23-2006

I'm running CSA 451 r649.

IE 7 likes to inject code from IEFRAME.DLL into all processes when a user clicks on one of the drop-down menus in the IE 7 GUI.

We need a better solution than the default query rule triggered in the example below, since CSA caches the user response and for the next hour iexplore.exe will be allowed to inject code from anywhere into other apps.

Does anyone have a secure dyno-tune they can share that would allow the following behavior?

"The process 'C:\Program Files\Internet Explorer\iexplore.exe' (as user MYPC\User) attempted to insert code ('C:\WINDOWS\system32\IEFRAME.dll') into another process. All processes were targeted. The user was queried and a 'No' response was received."

scothrel · ‎10-24-2006

I don't have a tuning for you, but I can tell you what its doing (I reported the issue to Microsoft back in July...after much back and forth, they determined it was "external" to IE and not their problem). The code injection enables the drop-down menus in IE7. Examples are the Favorites button in the upper left and the "Page" and "Tools" buttons in the upper right. You can see this if you answer the "allow this?" query with "No, and kill the process"...you'll see IE7 die after the first access to the buttons.

BTW: I don't work with the CSA team, I was asked to check out IE7 with IDM and IEV for the IPS product.

Scott

Thor-Ryan · ‎10-26-2006

I also contacted the IE 7 beta team, documented the issue for them, and they claimed it was a problem with CSA.

RichardSW · ‎10-26-2006

Coincidentally, a co-worker of mine had a popup blocker on his local machine, which does not have CSA installed. It kept warning about IEFRAME.DLL trying to open a Trusted Site. I highly doubt this is a CSA issue, but rather a weird technique the MS programmers are using. I'm sure there will be many flaws found for that dll when IE7 goes mainstream.

tsteger1 · ‎10-26-2006

I don't seem to be getting this event with either CSA 4.0.3 or 5.1. Is it specific to 4.5.x?

Thanks

Tom S

Thor-Ryan · ‎10-27-2006

Good question. We only run 4.51 here. Has anyone else experienced this on 4.03 or 5.0/5.1?

nodayoda3k · ‎11-02-2006

I confirm, same with 5.1-74.

tsteger1 · ‎11-05-2006

Same error or no error?

nodayoda3k · ‎11-06-2006

Same warning from CSA 5.1 about iframe injecting.

tsteger1 · ‎11-06-2006

I am curious about what is different in my setup. I have all desktop type policies enabled and am not in test mode. I installed over a customized version of IE6.

I am running IE 7 (released version) on CSA 4.0.3-737 and 5.1-074 on Windows XP SP2 fully patched machines and do not get these messages.

What is the rule description and type that is triggering these messages?

What version of IEframe.dll? (I have 7.0.5730.11)

Did these machines have the a pre-release version of IE7 installed?

Thanks

Tom S

scothrel · ‎11-07-2006

In my case, yes...it was a prerelease version of IE 7 installed over XP-SP2.

tsteger1 · ‎11-07-2006

We had several issues with pre-release versions that we don't have in the released version.

Thor-Ryan · ‎11-07-2006

I have experienced this issue with the final release of IE 7 on WinXP SP2, fully patched, running CSA 4.51 r649.