Comments on: Quickpost: SAFER and Malicious Documents http://blog.didierstevens.com/2009/09/28/quickpot-safer-and-malicious-documents/ (blog 'DidierStevens) Tue, 16 Mar 2010 07:37:33 +0000 http://wordpress.com/ hourly 1 By: karthik http://blog.didierstevens.com/2009/09/28/quickpot-safer-and-malicious-documents/#comment-35842 karthik Mon, 28 Sep 2009 23:53:21 +0000 http://blog.didierstevens.com/?p=1769#comment-35842 I see your point, agreed that AD GPO's is much elegant solution. I generally launch (just configure short cuts once) my email client, browser, IM client (basically all that connect to internet) with stripped down privileges, so all their child processes also gets privileges stripped. and I dont like windows explorer, its crappy and heavy. i use blackbox shell instead. ;-) your posts are very helpful, i enjoy reading it. thanks. I see your point, agreed that AD GPO’s is much elegant solution. I generally launch (just configure short cuts once) my email client, browser, IM client (basically all that connect to internet) with stripped down privileges, so all their child processes also gets privileges stripped.
and I dont like windows explorer, its crappy and heavy. i use blackbox shell instead. ;-)

your posts are very helpful, i enjoy reading it. thanks.

]]> By: Didier Stevens http://blog.didierstevens.com/2009/09/28/quickpot-safer-and-malicious-documents/#comment-35841 Didier Stevens Mon, 28 Sep 2009 21:36:07 +0000 http://blog.didierstevens.com/?p=1769#comment-35841 @karthik We want to restrict the token of the process which ever way the application is launched. For malicious documents, the "reader application" can be started in many different ways: 1) Double-clicking the document in Windows Explorer. 2) Opening the document in your browser 3) opening the document in your e-mail client ... For every of these cases, you want the application to run with restricted rights. So psexec is a solution, if you can configure your system to execute psexec for all of these different cases. That's why I talked about StripMyRights and the Image Execution registry entry. Because that's one of the methods to make sure StripMyRights will proxy your application. Have you tested psexec with the Image Execution method? If it supports it, you can use it in stead of StripMyRights. SAFER offers the advantage that you don't need a proxy application to start the vulnerable application, and that it can be deployed with AD. @karthik

We want to restrict the token of the process which ever way the application is launched. For malicious documents, the “reader application” can be started in many different ways:
1) Double-clicking the document in Windows Explorer.
2) Opening the document in your browser
3) opening the document in your e-mail client

For every of these cases, you want the application to run with restricted rights. So psexec is a solution, if you can configure your system to execute psexec for all of these different cases.

That’s why I talked about StripMyRights and the Image Execution registry entry. Because that’s one of the methods to make sure StripMyRights will proxy your application. Have you tested psexec with the Image Execution method? If it supports it, you can use it in stead of StripMyRights.

SAFER offers the advantage that you don’t need a proxy application to start the vulnerable application, and that it can be deployed with AD.

]]> By: karthik http://blog.didierstevens.com/2009/09/28/quickpot-safer-and-malicious-documents/#comment-35840 karthik Mon, 28 Sep 2009 21:24:00 +0000 http://blog.didierstevens.com/?p=1769#comment-35840 why not run using psexec utility from sysinternals like, "psexec.exe -l -d " why not run using psexec utility from sysinternals like, “psexec.exe -l -d “

]]>