RE: iframe tag attack from Doyle, Bill on 2007-06-20 (public-wsc-wg@w3.org from June 2007)

From: Doyle, Bill <wdoyle@mitre.org>
Date: Wed, 20 Jun 2007 07:15:19 -0400
To: "Mike Beltzner" <beltzner@mozilla.com>, "Rachna Dhamija" <rachna.w3c@gmail.com>
Cc: <public-wsc-wg@w3.org>
Message-ID: <518C60F36D5DBC489E91563736BA4B5801815080@IMCSRV5.MITRE.ORG>

Thanks -- I pulled out part of your text that I want to review against
the "safe" browsing modes are being discussed
 
iframe is doing things where a site which is trusted/identified in one
way is loading content form a site that is not trusted
 
Bill D.

 

________________________________

	From: Mike Beltzner [mailto:beltzner@mozilla.com] 
	Sent: Wednesday, June 20, 2007 1:54 AM
	To: Rachna Dhamija
	Cc: public-wsc-wg@w3.org; Doyle, Bill
	Subject: Re: iframe tag attack
	
	
	Using Rachna's unpack (thanks for that!) the way I see it ...
	
	1. is definitely out of scope.
	
	2. is strange - the fact that the site is compromised makes me
think this is out of scope, but must any identity mechanisms that we do
accept as in scope protect users from these types of problems?
	
	3. feels in scope to me, especially if the iframe is doing
things where a site which is trusted/identified in one way is loading
content form a site that is not trusted, and then presenting it as part
of the trusted site. I understand that this is a common practice
amongst websites, but we need some mechanisms for enabling it without
enabling this type of compromise as a side effect, IMO. Also, we need a
pony.
	
	4. the browser exploits that result in downloaded and installed
malware are in scope, but once infected, the effects of that malware
are totally out of scope.
	
	imo, fwiw, etc.
	
	cheers,
	mike
	----- Original Message -----
	From: "Rachna Dhamija" <rachna.w3c@gmail.com>
	To: "Bill Doyle" <wdoyle@mitre.org>
	Cc: public-wsc-wg@w3.org
	Sent: Tuesday, June 19, 2007 6:21:18 PM (GMT-0500)
America/New_York
	Subject: Re: iframe tag attack
	
	On 6/19/07, Doyle, Bill <wdoyle@mitre.org> wrote: 
	

		This enterprising company seems to have improved
productivity.
		 
		New Web Exploit at 10,000 Machines and Growing,
Security Company Warns
		 
		Seems to be a user agent issue, is this in or out of
scope?


	If we unpack the attack, this question might be easier to
answer:
	1) Attacker compromises a web server using malware
	
	2) User visits a legitimate, but compromised, website that
includes malicious iframe 
	3) iframe causes browser to be redirected to a site with
malicious javascript
	4) malicious javascript detects the browser type and exploits
browser vulnerabilities to download code, which then downloads other
code (keyloggers, proxy, etc...) 
	
	We have ruled 1 out of scope.  How about the rest?  
	
	I am hoping that we can use our list of attacks (i.e., the
threat trees) to come to a better understanding on what is in and out
of scope.
	
	Rachna

Received on Wednesday, 20 June 2007 11:15:27 UTC