Re: iframe tag attack

Redirecting to the list as well.  -request is for list administrivia.
-- 
Thomas Roessler, W3C  <tlr@w3.org>






On 2007-06-20 20:10:15 +0000, Doyle, Bill wrote:
> From: "Doyle, Bill" <wdoyle@mitre.org>
> To: Dan Schutzer <dan.schutzer@fstc.org>,
> 	Mike Beltzner <beltzner@mozilla.com>,
> 	Rachna Dhamija <rachna.w3c@gmail.com>
> Cc: public-wsc-wg-request@w3.org
> Date: Wed, 20 Jun 2007 20:10:15 +0000
> Subject: RE: iframe tag attack
> X-Spam-Level: 
> Old-Date: Wed, 20 Jun 2007 16:10:06 -0400
> X-Diagnostic: Already on the subscriber list
> X-Diagnostic:  38 wdoyle@mitre.org                   32760 wdoyle@mitre.org
> X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.1.5
> 
> More thoughts.
>  
> "However if a user only downloaded from trusted sites when in safe mode
> (a big if, probably not realistic), then the scenario would be
> defeated"
>  
> User goes out, compromises browser, goes into safe mode, thinks they
> are secure and gives up the farm.
>  
> Looks like it gets back to the expectations that the user agent is
> functioning correctly and not compromised.
>  
> Does "safe" mode also need a user agent provided by a trusted source
> that is restricted to only go to sites that are "trusted"
>  
> Bill 
>  
>  
>  
>  
>  
>  
>  
> 
> 
> 
> ________________________________
> 
> 	From: Dan Schutzer [mailto:dan.schutzer@fstc.org] 
> 	Sent: Wednesday, June 20, 2007 9:24 AM
> 	To: Doyle, Bill; 'Mike Beltzner'; 'Rachna Dhamija'
> 	Cc: public-wsc-wg@w3.org
> 	Subject: RE: iframe tag attack
> 	
> 	
> 
> 	When in safe mode, this threat scenario should be defeated. The
> untrusted site would be rejected; the trusted site would be audited to
> ensure there is sufficient security built-in that their web site is
> unlikely to be compromised. However, when not in the safe mode a user
> would be vulnerable as they can access any site. However if a user only
> downloaded from trusted sites when in safe mode (a big if, probably not
> realistic), then the scenario would be defeated.
> 
> 	 
> 
> 	Dan 
> 
> 	 
> 
> 	
> ________________________________
> 
> 
> 	From: public-wsc-wg-request@w3.org
> [mailto:public-wsc-wg-request@w3.org] On Behalf Of Doyle, Bill
> 	Sent: Wednesday, June 20, 2007 7:15 AM
> 	To: Mike Beltzner; Rachna Dhamija
> 	Cc: public-wsc-wg@w3.org
> 	Subject: RE: iframe tag attack
> 
> 	 
> 
> 	Thanks -- I pulled out part of your text that I want to review
> against the "safe" browsing modes are being discussed
> 
> 	 
> 
> 	iframe is doing things where a site which is trusted/identified
> in one way is loading content form a site that is not trusted
> 
> 	 
> 
> 	Bill D.
> 
> 	
> 	 
> 
> 		
> ________________________________
> 
> 
> 		From: Mike Beltzner [mailto:beltzner@mozilla.com] 
> 		Sent: Wednesday, June 20, 2007 1:54 AM
> 		To: Rachna Dhamija
> 		Cc: public-wsc-wg@w3.org; Doyle, Bill
> 		Subject: Re: iframe tag attack
> 
> 		Using Rachna's unpack (thanks for that!) the way I see
> it ...
> 		
> 		1. is definitely out of scope.
> 		
> 		2. is strange - the fact that the site is compromised
> makes me think this is out of scope, but must any identity mechanisms
> that we do accept as in scope protect users from these types of
> problems?
> 		
> 		3. feels in scope to me, especially if the iframe is
> doing things where a site which is trusted/identified in one way is
> loading content form a site that is not trusted, and then presenting it
> as part of the trusted site. I understand that this is a common
> practice amongst websites, but we need some mechanisms for enabling it
> without enabling this type of compromise as a side effect, IMO. Also,
> we need a pony.
> 		
> 		4. the browser exploits that result in downloaded and
> installed malware are in scope, but once infected, the effects of that
> malware are totally out of scope.
> 		
> 		imo, fwiw, etc.
> 		
> 		cheers,
> 		mike
> 		----- Original Message -----
> 		From: "Rachna Dhamija" <rachna.w3c@gmail.com>
> 		To: "Bill Doyle" <wdoyle@mitre.org>
> 		Cc: public-wsc-wg@w3.org
> 		Sent: Tuesday, June 19, 2007 6:21:18 PM (GMT-0500)
> America/New_York
> 		Subject: Re: iframe tag attack
> 		
> 		On 6/19/07, Doyle, Bill <wdoyle@mitre.org> wrote: 
> 
> 			This enterprising company seems to have
> improved productivity.
> 
> 			 
> 
> 			New Web Exploit at 10,000 Machines and Growing,
> Security Company Warns
> 
> 			 
> 
> 			Seems to be a user agent issue, is this in or
> out of scope?
> 
> 		
> 		If we unpack the attack, this question might be easier
> to answer:
> 		1) Attacker compromises a web server using malware
> 
> 		2) User visits a legitimate, but compromised, website
> that includes malicious iframe 
> 		3) iframe causes browser to be redirected to a site
> with malicious javascript
> 		4) malicious javascript detects the browser type and
> exploits browser vulnerabilities to download code, which then downloads
> other code (keyloggers, proxy, etc...) 
> 		
> 		We have ruled 1 out of scope.  How about the rest?  
> 		
> 		I am hoping that we can use our list of attacks (i.e.,
> the threat trees) to come to a better understanding on what is in and
> out of scope.
> 		
> 		Rachna
> 		
> 		
> 
> 		 
> 

Received on Friday, 22 June 2007 19:36:56 UTC