Re: IFrame Tag Warning From Epson UK

[standeb]

Hello All,

I have just received an E-Mail from Epson UK that IFrame tag as been found and can be dangerous.

First I would like to know what is IFrame and secondly, has it been found by Avast on Epson UK Websites or in avast 4 Home itself?

It can really be bad news if Avast is using it knowing that its dangerous.

Kindly advise.

standeb.

[DavidR]

The iFrame HTML tag is a powerful tool which can import and execute data. Whilst this is fine on a web site for importing dynamic data, it can still be put to malicious purposes as well as good.

It isn't often used in emails and usually for ads, etc. however the potential for harm is great and since avast can't assess that potential at the time of scanning, it has to wait until that content were downloaded (too late) that is why the Heuristics flag it as suspicious.

If you know the remote address/url that the imported data is coming from (and you trust it) you can add that to the permitted URLs in the Heuristics section of the Internet Mail provider.

[standeb]

Hello DavidR,

Thank you for your reply. The comments are seriously taken. I got the e-mail from Epson UK.

Sorry Avast has to wait and then too late. However can it be that even though it may be to late to stop it from getting in, can it be removed? Will there be the usual Avast warning? with the instructions to remove or send to chest etc.

I note that he questions asked were not answered except for the explation you gave. Could you or anyone address the query?

I guess that other readers will also want to know.

Thanking you for a reply.

standeb

[FreewheelinFrank]

If avast! detected an iFrame exploit it means the site has been hacked and is diverting your browser to a malicious site.

It's the responsibility of the website owner to investigate the security lapse on their site.

[DavidR]

@ FWF
The iframe in an email prompts a suspect alert (basically what standeb reported), differs from an iframe exploit alert by the web shield. The alert was just reporting the presence of the iframe tag which could be dangerous.

I have just received an E-Mail from Epson UK that IFrame tag as been found and can be dangerous.

<snip>
I note that he questions asked were not answered except for the explation you gave. Could you or anyone address the query?
<snip>

@ standeb
The question was answered, the third paragraph explains what you have to do to allow email from Epson UK that have iframe tags in the email (assuming you trust the source) to add the remote source to the Permitted URLs.

If you know the remote address/url that the imported data is coming from (and you trust it) you can add that to the permitted URLs in the Heuristics section of the Internet Mail provider.

You need to a) allow the email through (don't have your email on preview messages), b) right click on the message, select Properties, Message Source (I'm using OE6 as an example of it as that is what I use), c) look for the <iframe> tag and there should be a source URL, you need to copy that.

Internet Mail, Customize, Heuristics, Permitted URLs and paste the domain that you copied.

[standeb]

Hello DavidR,

Thank you for your reply and also thanks to all who have submitted contributions to this thread. I have just seen the replies. I was pretty busy and was not at my system until now.

I have not yet complied with your instructions by reason of the above. However I found several instances of iframe on my system. I do not know about iframe and what it does and how dangerous it cam be.

Please let me know whether I should remove all instances of it from my system.
I have scanned these files with avast and found them to be clean but I am wary of dangerous or suspicious things on my system. A look at the files revealed that they are or may be activeX files. Can you enlighten me here. Please let me know if I can attach a folder containing a copy of the files and how that is done.

I shall now be reading your replies again and addressing your instructions.

Can you let me know if it is safe to keep them or be rid of them.

Thanking you all for your kind attention.

standeb.

[DavidR]

You're welcome.

I don't know where you found these instances of iframe on your system ?

So I have no idea what they might be so I wouldn't recommend removal.

The iframe tag is a legitimate tool, but like many tools they can be used for good or evil.

[standeb]

Hello DavidR.

Forgive me. I do not mean to be a PIA, however hereinder is a copy of the e-mail I received. Tell me what you make of it

[avast heuristic warning]

From :    avast 4
Date:     Saturday July 20, 2008 5:49 p.m.
To:        None
Subject: [avast heuristic warning]

<iframe> tag found, it may be dangerous

Sender:  "Epson UK" <epsonuk@info.epson-europe.com>
Recipient: me
Subject:  Swing by for a top round of offers, including half price Stylus Photo RX685

This is what I got from the e-mail properties.

+OK
From: avast! 4
Subject: [avast! heuristic - WARNING]   

<iframe> tag found, it may be dangerous


Sender:  "Epson UK" <epsonuk@info.epson-europe.com>
Recipient:  me
Subject:  Swing by for a top round of offers, including half price Stylus Photo RX685.

I went into search, typed in iframe and they came up in the search results viz-

uiFrame.class in folder com/ms/ui
AwtuiFrame.class in folder com/ms/ui
iFramsmovecallback.class in folder com/ms/directX

They are repeated again as temp files in local settings.

I am not so computer savy so I would not have known anything about this until I got the e-mail.

I was thinking of deleting these things from my system but you said they are ligitimate so I will leave them alone. I just want an understanding of what iframe is realy about so I will also google up and read.

Thanking you again.

standeb.

[DavidR]

First I would suggest you modify your post as your email address is hanging in the wind begging to be harvested and added to spam lists. The forums are publicly available and as such could be trawled by spambots looking for email addresses.

uiFrame.class in folder com/ms/ui
AwtuiFrame.class in folder com/ms/ui
iFramsmovecallback.class in folder com/ms/directX

The problem with your search is it is a) an explorer search which doesn't look inside files and b) it is finding entries with iframe somewhere in a file name andthey  aren't iframe tags, which would be <iframe>.  Those iframes appear to be fine as they aren't HTML iframe tags, just a string of letters.

The ones in temp folders, if they are similar to the ones quoted above fall into the same category, just iframe in a file name and not an iframe tag.


 

[standeb]

Hello  DavidR,


Thanks for the reply. I am o.k. with IFrame now I see what you mean.

Now; How do I modify the post to delete the address?

standeb.

[standeb]

Hello DavidR,

Don't worry about the modification instruction. I found how to do it and did it.

Thanks for the tip, your time and patience and timely responses. You and your moderators and senior members are really doing a great job. This makes me more confident with using avast 4 and the forums.

Best regards.

standeb.

[DavidR]

You're welcome.

They aren't my moderators or senior members, I'm just an avast user like yourself