I'm running CSA 451 r649.
IE 7 likes to inject code from IEFRAME.DLL into all processes when a user clicks on one of the drop-down menus in the IE 7 GUI.
We need a better solution than the default query rule triggered in the example below, since CSA caches the user response and for the next hour iexplore.exe will be allowed to inject code from anywhere into other apps.
Does anyone have a secure dyno-tune they can share that would allow the following behavior?
"The process 'C:\Program Files\Internet Explorer\iexplore.exe' (as user MYPC\User) attempted to insert code ('C:\WINDOWS\system32\IEFRAME.dll') into another process. All processes were targeted. The user was queried and a 'No' response was received."
I don't have a tuning for you, but I can tell you what its doing (I reported the issue to Microsoft back in July...after much back and forth, they determined it was "external" to IE and not their problem). The code injection enables the drop-down menus in IE7. Examples are the Favorites button in the upper left and the "Page" and "Tools" buttons in the upper right. You can see this if you answer the "allow this?" query with "No, and kill the process"...you'll see IE7 die after the first access to the buttons.
BTW: I don't work with the CSA team, I was asked to check out IE7 with IDM and IEV for the IPS product.
Coincidentally, a co-worker of mine had a popup blocker on his local machine, which does not have CSA installed. It kept warning about IEFRAME.DLL trying to open a Trusted Site. I highly doubt this is a CSA issue, but rather a weird technique the MS programmers are using. I'm sure there will be many flaws found for that dll when IE7 goes mainstream.
I am curious about what is different in my setup. I have all desktop type policies enabled and am not in test mode. I installed over a customized version of IE6.
I am running IE 7 (released version) on CSA 4.0.3-737 and 5.1-074 on Windows XP SP2 fully patched machines and do not get these messages.
What is the rule description and type that is triggering these messages?
What version of IEframe.dll? (I have 7.0.5730.11)
Did these machines have the a pre-release version of IE7 installed?