Alert triggered by <iframe> tag

[Howard Ballinger]

Hello, I'm an amateur webmaster and operate a mailing list for an organization. I just sent out an e-mail and when I got my own copy of it back, I got a warning of possible danger when the <iframe> tag -- which I'd just discovered and added to my HTML newsletter -- was detected.

The Avast! dialog had a 'permitted URL' button in it; I clcked that hoping that it would then allow content from my website without futher alarms; but the same alarm keeps popping up when I go to that message.

So here are my questions: (1) how can I let Avast! know that the URL in the frame is premitted? and (2) more generally, is the <iframe> tag not a good idea to use in an e-mail?

Thanks     -- Howard

[MikeBCda]

Hi,

As you've no doubt figured out for yourself, the "possible" danger is no more than that -- the same warning would be triggered by, e.g., any exe attachment as being in a suspicius category.  If there really was an infection involved, avast would sure as heck let you know.

I get those iframe warnings too, typically from Yahoo groups, and I unfortunately haven't yet found how to give "remembered" permission on the fly.  It's rarely clear what the originating URL is. so I've just resigned myself to hitting "Continue" each time if I'm sure it's OK.  And what the heck, if I'm wrong then avast will let me know.

Sorry if this isn't an awful lot of help.

[DavidR]

The iFrame HTML tag is a powerful tool which can import and execute data. Whilst this is fine on a web site for importing dynamic data, it can still be put to malicious purposes as well as good.

It isn't often used in emails and usually for ads, etc. however the potential for harm is great and since avast can't assess that potential at the time of scanning, it has to wait until that content were downloaded (too late) that is why the Heuristics flag it as suspicious.

If you know the remote address/url that the imported data is coming from (and you trust it) you can add that to the permitted URLs in the Heuristics section of the Internet Mail provider.

[alanrf]

I'm wondering about the value of the IFrame alert.

I have received a number of these alerts (like MikeBCda, mainly from Yahoo Groups).

Today one of the folks I support was surprised to see a mailing from the BBC flagged as suspicious - good grief ... if one cannot trust the BBC what is the world coming to? Yes, the mailing contained IFrame.

Since none of the alerts I have ever seen have represented a genuine problem it really amounts to a continuing set of false positives and it does breed, even in me, a reaction to just ignore the warning from avast.  There may well come the day when I ignore a real problem but avast will have contributed to my predicament by creating so many false alarms.

I can uderstand the flagging being a bit more appropriate in the past when, as we discovered, avast had decided not to scan the accesses performed by mail clients when rendering html pages.  Now that avast has reversed that general approach and does scan the accesses in html rendering by mail clients are all the IFrame warnings at all valuable?

[Vlk]

You're right that iFrame attacks are not common any more. But they were VERY common a couple of years ago (think e.g. the Nimda outbreak), especially because there was a critical bug in Outlook and Outlook/Exchange in the rendering of iFrames.

But you're basically right that at this time, it's probably safe to disable iFrame warnings altogether.


Thanks
Vlk

[DavidR]

Or perhaps reassess the iFrame check only being included in the higher sensitivity High or Custom.

Currently there is local iFrame check even in Heuristics Low sensitivity I can't see how this would work as I don't know how you would reference local data from an email iFrame tag.

Currently the Remote iFrame check comes into play on the Heuristics High sensitivity. To remove/disable iFrame checks you really have to dig deep, set the Heuristics sensitivity slider Custom, only then does it enable you to click the customize button and then you can have access to the iFrame checks.

This I think is too deep for the average user, so if you feel it is probably safe to disable the iFrame check perhaps you can rethink how this can be done a little easier. Does it really need the sensitivity to be set to Custom before the customize button is active ? Surely it should be active all the time and if anything is changed the slider could be changed to Custom.

[alanrf]

Vlk,

since the alerts are still being generated in 4.7.871 ... any planned activity to follow-up or were you expecting every user to do it if they wanted to?

[alanrf]

Paging .... Paging ...

Vlk there is a message for you.

[Vlk]

As far as I know the respective changes have already been checked in and will be present in the next program update.

HTH
Vlk

[alanrf]

Vlk,

info much appreciated.

Thanks,

Alan

[alanrf]

The iframe alarm is unchanged in release 4.7.892 and the messages from the BBC still causing unnecessary alerts.

I thought the change had been staged for this release?

[Vlk]

I thought so too...
Just an idea - maybe the change didn't apply for updated installations (only for new installs) - as the config in updated installations is already saved.

I'll have it checked.

[alanrf]

And the result of your check was ....?

[sedina]

Hi, sorry for misinformation, change with iframe sensitivity will be in the next program update. Current version (4.7.892) doesn't include this change. So please set heuristic sensitivity to Custom and uncheck iframe checkboxes to get rid of warnings. From the next version, iframe will be checked only for High sensitivity (or for Custom if set).

[alanrf]

Thanks for the update ... I look forward to seeing it in the next release.