BT broadband office

IFRAME blamed for web security threats

Posted 7 June 2007 at 8:42AM by Simon Dickson in Website development

UK security specialists Sophos detected more than 300,000 web pages containing malicious code during May; that's equivalent to 9,500 new infected pages daily, up more than 1,000 on the figure for April. And very nearly two-thirds of the threats they detected used the same basic HTML vulnerability.

The HTML 'iframe' ('inline frame') tag effectively creates a 'web page within a web page', a resizable and positionable window showing contents from a completely different website. There are numerous perfectly reasonable situations where you might want to do this: maybe you're using complex third-party functionality within a relatively unsophisticated site. It's used by Amazon for its affiliate links, for example.

But there's an inherent catch. If you ever find yourself looking at a 'phishing' site, a malicious site disguised as a reputable service like an online bank, the browser's address bar often gives you a clue that all is not as it seems. You don't get that safeguard with an iframe: the browser shows the address of the main page, not the iframed page. So if someone manages to 'hack' a trustworthy page to include an iframe, you could very easily miss it.

'Attacks spreading on the web are becoming more frequent and more problematic for businesses every month,' says Carole Theriault from Sophos. 'It's no longer enough for businesses simply to filter websites based on category - the real nasty attacks are most often found lurking on legitimate web pages. This is a wake up call for organisations with a website: being out of date with patches and running inadequate security has very real risks.'

Tags: iframe, patches, phishing, sophos

New feature: Rate this post!

Average rating: 2.7/5

Comments

Post a comment

As 14 days have passed, comments are now closed for this entry.