Comments on: Preventing Applications From Starting (Malicious) Applications

By: Geraldine

Geraldine — Wed, 21 Dec 2011 15:53:44 +0000

Thanks for that! It\’s just the answer I neeedd.

By: Triflex Enterprise | PDFs Exploitable?!? I’m shocked…

Triflex Enterprise | PDFs Exploitable?!? I’m shocked… — Thu, 22 Apr 2010 05:20:42 +0000

[...] PDF readers could disable the functionality completely (perhaps using Didier Stevens’ developed method) or bide their time, waiting on [...]

By: Hacker finds a way to exploit PDF files | The PC Report

Hacker finds a way to exploit PDF files | The PC Report — Thu, 01 Apr 2010 03:35:06 +0000

[...] should they consider that the protection offered by the warning dialog is not sufficient. BTW, preventing Adobe Reader from creating new processes blocks this [...]

By: Escape from PDF

Escape from PDF — Wed, 31 Mar 2010 19:53:22 +0000

[...] should they consider that the protection offered by the warning dialog is not sufficient. BTW, preventing Adobe Reader from creating new processes blocks this [...]

By: Didier Stevens

Didier Stevens — Wed, 31 Mar 2010 11:19:01 +0000

@Reader because that will not help you exploits that download and execute malware.

By: Reader

Reader — Wed, 31 Mar 2010 11:11:36 +0000

Why not just disable non-PDF file attachments in Trust Manager settings of Adobe Reader?

Prefs -> Trust Manader -> PDF File Attachments -> [ ] Allow opening…

By: Escape From PDF (hack exposed) | Cell-Systems

Escape From PDF (hack exposed) | Cell-Systems — Tue, 30 Mar 2010 17:21:55 +0000

[...] should they consider that the protection offered by the warning dialog is not sufficient. BTW, preventing Adobe Reader from creating new processes blocks this [...]

By: Escape From PDF « Didier Stevens

Escape From PDF « Didier Stevens — Mon, 29 Mar 2010 19:46:50 +0000

[...] should they consider that the protection offered by the warning dialog is not sufficient. BTW, preventing Adobe Reader from creating new processes blocks this [...]

By: Didier Stevens

Didier Stevens — Mon, 12 Oct 2009 21:50:25 +0000

> Otherwise, it’s only ’secure’ as far as the ‘attackers’ don’t bother to work around it.
That’s always the case. If I have local admin rights, I can also work around the protection you set up in the kernel. To avoid that, you need a TPM and a chain of trust. Until someone breaks the weakest link in that chain…
It’s an arms race.

And another way to bypass this altogether is just not to create a new process…
Use shellcode: http://blog.didierstevens.com/2008/10/23/excel-exercises-in-style/
Or a DLL: http://blog.didierstevens.com/2008/06/05/bpmtk-how-about-srp-whitelists/

By: Anonymous

Anonymous — Mon, 12 Oct 2009 21:35:42 +0000

Process creation disabling should be done by the kernel in order to be really secure. Usermode could do something like disabling a token, but I don’t think that hooking can provide real security.
The point in blocking this is that it is going to run insecure, malicious, untrusted code. Thus, we should consider that the author knows the way we’re going to block its code. The protection should still work even on this case. Otherwise, it’s only ‘secure’ as far as the ‘attackers’ don’t bother to work around it.