Block IFRAME For Added Protection
If you are interested in Tech, and visit Websites such as this one, it will not be very long before you read about Firefox. (In fact just this week I posted an article.) And, it won’t be long before you see NoScript mentioned. Odds are, you already have.
NoScript is a small program you download and add ‘into’ Firefox to enhance its functionality (these small programs are known variously as “add-ons”, “plug-ins”, and “extensions”– different words for the same concept.)
NoScript gets mentioned in the Tech media a lot because it is a security tool that automatically “blocks” (prevents from running) certain web page ‘elements’ (scripts) — Java, Flash, JavaScript, and XSS– from running unles
s you click the Option button and select “Allow”, or “Temporarily allow”.
Which puts you in control, and goes a long ways toward preventing “drive-by downloads“, and other malicious Internet attacks and activity from occurring should you happen to visit a Website which has been “poisoned” by a hacker.
(I don’t mean to depress you, but the current state of the Internet is so insecure that this can be, literally, any Website.)
By default, NoScript is a powerful tool (to read the NoScript “About” page, click here) and for many people is the primary reason they have made the switch to Firefox.
(I’ll let you in on a little secret; it is one way to measure a user’s “savvy”.. look for a Firefox icon.)
Tip of the day: Enhance your NoScript protection by turning on the IFRAME blocker feature.
IFRAMES are another dynamic Web element that cyber-criminals are now using as an “attack vector” (aka “method”) with great success. Like the scripts mentioned above, IFrame attacks can happen invisibly and automatically. Oh, the joys of Web 2.0!
1) In Firefox, click on “Tools”, then “Add-ons”
2) Scroll ’till you find NoScript, and click the “Options” button. (If you have not yet installed NoScript, click the “Get Add-ons” icon in the upper-left.)
3) Click on the Plugins tab. Place a check in the “Forbid <IFRAME>” checkbox.
That’s it. You’re done. Now when you visit a site that uses IFrames, you will have to approve them (aka “whitelist”) before they’ll appear.
[Note: the scripts and tools (Web 2.0 “features”) mentioned in this article are NOT in themselves bad or dangerous, and it is thanks to them that the Web is such a rich and interactive environment.. but, in the wrong hands they can — and are — being used with criminal intent.]
Today’s free link: One of the more disturbing (outright alarming, if you ask me) hacker uses of IFrame attacks is the alteration of Search Engine results (Yes, you can’t truly trust Google, Yahoo!, or MSN anymore) and Internet Security blogger Bill Mullins has posted an excellent article on this subject, Fake/Redirected Search Results – Consequences for You
* Firefox users: Update 3.0.3 available today.
Copyright © 2007-8 Tech Paul. All rights reserved.
post to jaanix
| Share this post : |  |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
17 Comments »
Post your Comment/Question
• About Tech Paul
I am a Retired computer & network technician. I used to think the machines were pretty cool. Now I don’t.
They’re anything but.
I regularly posted how-to’s and tricks & tips and general computing advice here starting in 2007. (Use the Search tool to find answers. But be aware, many are rather dated.) Sometimes I answered (your) specific questions in an article if I believed the answer was generally helpful to “everyone”. All the writing you see was my own, typos and all. There always is/was an implied “IMHO” in what you see here.
Note: You are responsible for using this blog and its content. I am in no way liable for any losses caused by user error, viruses and/or other malware, hardware or software failure, or any other conceivable reason.
-
Say "thank you!" Buy Tech Paul a cup of coffee (and keep T4E ad free).
-
-
McAfee® Cybersafety Resource Portal, an online help center designed to assist victims of computer crime and provide information on how to avoid becoming a victim.
-
Subscribe to Tech--for Everyone by EmailRecent Comments
-
-
-
-
Also:
-
-
Tech - for Everyone 
Nice content but such horrible, example of most wrong colors, this site looks so depressing, scares people away ! I’m gonna leave without reading :-(
LikeLike
Well I certainly don’t want to be scary…
LikeLike
Ok, great! Block Javascript, IFrames, Flash and the like.
Why not go ahead and block web sites from loading on browsers from now on? At some point you have to get real about web browsing. Yes, there are people who want to break your computers by loading malisious scripts or viruses, but where do you draw the line?
99% of web sites these days rely on at least one of the technologies mentioned above to work properly! Taking them away will stop the sites working, and I’m pretty sure that only a handfull of sites have malisious content.
What you are doing by spreading this so called information is causing panic, and making people scared to browse. The vast majority of web surfers out there are going to panic when they see a warning about some script trying to run, and they are going to stop it, even if it is only a menu item loading.
If you have half decent anti everything, the real nasties will be blocked by them and the need for these add-ons won’t be there.
This is not great news for web developers!!!
LikeLike
Quinton,
It has gotten so dangerous that there are advocates of text-only browsers.
No, having the latest, fully updated malware tools will not protect you from a lot of web-based attacks. Not even the heuristic ones.
And going to “safe”, well-known websites only will not protect you because of website poisoning.
Yes. The cyber-criminals are killing the Web. Hence Bush’s, and now Obama’s statements and plans. Their goal is not to “break my machine”, but to steal my money and/or commit crime (fraud) in my name.
What these blockers do is essential, as they prevent things from just running (with whatever permissions they can get) until the user okay’s them. (Unfortunately, nobody reads what they’re OK-ing, and are being conditioned to just click “OK”)
Create a panic? Are you kidding? What percentage of “average computer users” have even heard of a keylogger installed via drive-by? Are botted and don’t know it?
Flash is to serve me ads which I don’t want.
Java is so I can fill in form which I don’t want to do — why should I have to give you an e-mail so I can view the page?
LikeLike
hi i cnnot iframes block on ie8 :S
LikeLike
asdf,
That – in a nutshell – is why people have switched to Firefox.
IE 8 has several security features. Please see, http://www.microsoft.com/windows/internet-explorer/features/safer.aspx
LikeLike
yes. iframe is such a dangerous tag.
Most people are still not aware of its misuse.
Many websites are being infected with iframe tag in their main pages.
Now I am going to block web pages with iframes.
LikeLike
Venkatachalam.
* 77 percent of Web sites with malicious code are legitimate sites that have been compromised. (called “poisoned”)
* 233 percent growth in the number of malicious sites in the last six months and a 671 percent growth during the last year.
* 95 percent of comments to blogs, chat rooms and message boards are spam or malicious.
* 57 percent of data-stealing attacks are conducted over the Web.
* 85 percent of all unwanted emails in circulation contained links to spam sites and/or malicious Web sites.
LikeLike
and that was 2008-2009. now in 2011 it’s even worse.
listen to techies!
they know this stuff because they are amongst the ones that create them (paid by the marketroids).
I saw this comming back in ’98 when I saw how dangerous javascript can be.
now, it’s even worse. I would say block any ad anywhere. let the marketing guys know that this is not what web was created for.
as long as there is money to be made from web sheep they will not stop.
don’t be a sheep!
reject all ads on the web. period!
only this way you can fight back.
I always disable javascript, flash, etc right after installing firefox (the only browser I can trust)
I will then enable only a few sites (like youtube) for flash.
i am happier this way. If I cannot see a page so be it. that means it was not there for me to see if I have to give out information to see it.
because of this I also scale back on paying for internet. Instead of going down in price it’s going up for feeding more garbage down our throats.
gave up cable TV long time ago because of same issue. never looked back. I’m happier now and spend more time on books and other things that are not distracting.
the same will happen with the web. people will stop paying for crap once there is enough critical mass.
you get the idea.
LikeLike
future,
For the most part.. I agree.
LikeLike
NoScript is fake, not blocking all iframes.
Some iframe by authority can detect IP address even if you’re using proxy.
Put #IFRAME in adblockplus custom elements blocker, these true will block ALL IFRAME.
LikeLike
Archon,
I have no idea if that’s true, and i don’t have time to look into it. But don’t worry: less than 1/1000th of 1% of webizens are savvy enough to have NoScript.
LikeLike
sir this article is really good one its very useful thank you sir.
LikeLike
Sir is there any trick to watch who are using my wifi connection on pc b’coz i am worried about my data usage i dought someone using my wifi connection.
LikeLike
suraj,
A network ‘sniffer’ can often/usually detect machines on the network (and if you see one you don’t recognize, you have an intruder). But the key to keeping folks off of your WiFi is using the latest encryption methods (WPA2, typically), with a strong password, that you change occassionally. If that is insufficient to keep people out, you can set your router to limit the number of connections (to, say, 1).
LikeLike
sir,if i visit any site how can i see that site is safe or not b’coz there are so many sites who are already spam,viruses how can i safe site visiting.
LikeLike
h.ali,
There’s no such thing as “safe” on the Internet.
But we can be safer on the Internet by avoiding obviously risky websites, using site “reputation” tools (browser pug-ins) like McAfee’s SiteAdviser, WoT, etc.), typing the URL as opposed to clicking links, and a good Internet Security Suite/firewall).
LikeLike