Re: iframe tag attack

Redirecting to the list...  -request is for list administrivia.
-- 
Thomas Roessler, W3C  <tlr@w3.org>







On 2007-06-22 19:35:11 +0000, Dan Schutzer wrote:
> From: Dan Schutzer <dan.schutzer@fstc.org>
> To: "'Doyle, Bill'" <wdoyle@mitre.org>,
> 	'Mike Beltzner' <beltzner@mozilla.com>,
> 	'Rachna Dhamija' <rachna.w3c@gmail.com>, dan.schutzer@fstc.org
> Cc: public-wsc-wg-request@w3.org
> Date: Fri, 22 Jun 2007 19:35:11 +0000
> Subject: RE: iframe tag attack
> X-Spam-Level: 
> Old-Date: Fri, 22 Jun 2007 15:34:21 -0400
> X-Diagnostic: Already on the subscriber list
> X-Diagnostic:  38 wdoyle@mitre.org                   32760 wdoyle@mitre.org
> X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.1.5
> 
> Per my draft. This is an issue, but keeping a PC clean of bots and other
> malware is out-of-scope, although I provided some examples of things we
> could do to help defeat this use case.
> 
>  
> 
>   _____  
> 
> From: Doyle, Bill [mailto:wdoyle@mitre.org] 
> Sent: Wednesday, June 20, 2007 4:10 PM
> To: Dan Schutzer; Mike Beltzner; Rachna Dhamija
> Cc: public-wsc-wg-request@w3.org
> Subject: RE: iframe tag attack
> 
>  
> 
> More thoughts.
> 
>  
> 
> "However if a user only downloaded from trusted sites when in safe mode (a
> big if, probably not realistic), then the scenario would be defeated"
> 
>  
> 
> User goes out, compromises browser, goes into safe mode, thinks they are
> secure and gives up the farm.
> 
>  
> 
> Looks like it gets back to the expectations that the user agent is
> functioning correctly and not compromised.
> 
>  
> 
> Does "safe" mode also need a user agent provided by a trusted source that is
> restricted to only go to sites that are "trusted"
> 
>  
> 
> Bill 
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
> 
>   _____  
> 
> 
> From: Dan Schutzer [mailto:dan.schutzer@fstc.org] 
> Sent: Wednesday, June 20, 2007 9:24 AM
> To: Doyle, Bill; 'Mike Beltzner'; 'Rachna Dhamija'
> Cc: public-wsc-wg@w3.org
> Subject: RE: iframe tag attack
> 
> When in safe mode, this threat scenario should be defeated. The untrusted
> site would be rejected; the trusted site would be audited to ensure there is
> sufficient security built-in that their web site is unlikely to be
> compromised. However, when not in the safe mode a user would be vulnerable
> as they can access any site. However if a user only downloaded from trusted
> sites when in safe mode (a big if, probably not realistic), then the
> scenario would be defeated.
> 
>  
> 
> Dan 
> 
>  
> 
> 
>   _____  
> 
> 
> From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On
> Behalf Of Doyle, Bill
> Sent: Wednesday, June 20, 2007 7:15 AM
> To: Mike Beltzner; Rachna Dhamija
> Cc: public-wsc-wg@w3.org
> Subject: RE: iframe tag attack
> 
>  
> 
> Thanks -- I pulled out part of your text that I want to review against the
> "safe" browsing modes are being discussed
> 
>  
> 
> iframe is doing things where a site which is trusted/identified in one way
> is loading content form a site that is not trusted
> 
>  
> 
> Bill D.
> 
> 
>  
> 
> 
>   _____  
> 
> 
> From: Mike Beltzner [mailto:beltzner@mozilla.com] 
> Sent: Wednesday, June 20, 2007 1:54 AM
> To: Rachna Dhamija
> Cc: public-wsc-wg@w3.org; Doyle, Bill
> Subject: Re: iframe tag attack
> 
> Using Rachna's unpack (thanks for that!) the way I see it ...
> 
> 1. is definitely out of scope.
> 
> 2. is strange - the fact that the site is compromised makes me think this is
> out of scope, but must any identity mechanisms that we do accept as in scope
> protect users from these types of problems?
> 
> 3. feels in scope to me, especially if the iframe is doing things where a
> site which is trusted/identified in one way is loading content form a site
> that is not trusted, and then presenting it as part of the trusted site. I
> understand that this is a common practice amongst websites, but we need some
> mechanisms for enabling it without enabling this type of compromise as a
> side effect, IMO. Also, we need a pony.
> 
> 4. the browser exploits that result in downloaded and installed malware are
> in scope, but once infected, the effects of that malware are totally out of
> scope.
> 
> imo, fwiw, etc.
> 
> cheers,
> mike
> ----- Original Message -----
> From: "Rachna Dhamija" <rachna.w3c@gmail.com>
> To: "Bill Doyle" <wdoyle@mitre.org>
> Cc: public-wsc-wg@w3.org
> Sent: Tuesday, June 19, 2007 6:21:18 PM (GMT-0500) America/New_York
> Subject: Re: iframe tag attack
> 
> On 6/19/07, Doyle, Bill <wdoyle@mitre.org> wrote: 
> 
> This enterprising company seems to have improved productivity.
> 
>  
> 
> New Web Exploit at 10,000 Machines and Growing, Security Company Warns
> 
>  
> 
> Seems to be a user agent issue, is this in or out of scope?
> 
> 
> If we unpack the attack, this question might be easier to answer:
> 1) Attacker compromises a web server using malware
> 
> 2) User visits a legitimate, but compromised, website that includes
> malicious iframe 
> 3) iframe causes browser to be redirected to a site with malicious
> javascript
> 4) malicious javascript detects the browser type and exploits browser
> vulnerabilities to download code, which then downloads other code
> (keyloggers, proxy, etc...) 
> 
> We have ruled 1 out of scope.  How about the rest?  
> 
> I am hoping that we can use our list of attacks (i.e., the threat trees) to
> come to a better understanding on what is in and out of scope.
> 
> Rachna
> 
>  
> 

Received on Friday, 22 June 2007 19:36:26 UTC