Frequently targeted document handling applications should be coded defensively and protect themselves with Windows security features like DEP, ASLR and Integrity Levels, just to name a few.
I tested a couple of PDF rendering applications: Adobe Reader, Foxit Reader and Sumatra PDF. If the application did not use DEP, ASLR or Integrity Levels, I changed some settings to make the application use these features. Setting DEP and ASLR is just setting a flag in the DllCharacteristics member of the Image Optional Header structure. You can do this with a hex editor, a PE-file editor, or a new tool (setdllcharacteristics) I’ll release soon. Using a Low Integrity Level is done by setting the appropriate ACE in the DACL of the application executable, see my post Integrity Levels and DLL Injection for details.
Adobe Reader 9 uses DEP and ASLR. It does not run with a Low Integrity Level by default. Configuring acrord32.exe to run with a Low Integrity Level fails, the application doesn’t run. It is said that the upcoming Adobe Reader 10 with sandboxing technology will run at a Low Integrity Level.
Sumatra PDF 1.1 uses DEP and ASLR. It does not run with a Low Integrity Level by default. Configuring SumatraPDF.exe to run with a Low Integrity Level succeeds, the application runs fine. Some preferences might get lost, but they are not important to me.
With version 4.2 of Foxit Reader released about a week ago, Foxit Software added support for DEP and ASLR. Setting Foxit Reader to use a Low Integrity Level results in a malformed opening dialog box:
Apart from this, Foxit Reader appears to work fine at Low Integrity Level, but don’t be fooled. At Low Integrity Level, Foxit Reader can’t read or set its preferences. For example, you won’t be able to disable JavaScript. Even if you disabled JavaScript with Foxit Reader running at Medium Integrity Level (the default), Foxit Reader running at Low Integrity Level will enable JavaScript. So you’re better off not using a Low Integrity Level for this version. I’ve talked to Foxit Software and they’ll fix this.
If your favorite application isn’t discussed here, you can easily check how it performs with Sysinternals’ Process Explorer. Just add columns DEP, ASLR and Integrity to Process Explorer’s main view and run your application.
Didier Stevens 