Hi malware fighters,
The majority of malicious PDF, Word, PowerPoint and Excel files will only infest when the user has logged on with full admin rights, high time for users to lower their rights. “Almost all shellcode that is found inside malicious documents will download a trojan through HTTP to write to SYSTEM32 and then execute the malcode”. So if the infectious code cannot write to SYSTEM32, the shellcode will fail and the malware cannot infest the OS. “To be protected against these kind of attacks one should limit one’s user rights.” For Windows 7 and Vista this already takes place via UAC.
Less rights
The users of Windows XP have no alternative then use a standard account, but that can also lead to problems. However there is a way to prevent risky applications like Adobe Acrobat and Microsoft Office full admin rights. You can use two popular tools to do this - DropMyRights and StripMyRights. Both programs will produce a “restricted token” and will launch mentioned software with less rights. Acooding to Didier Stevens both DropMyRights and StripMyRights have some drawbacks. That is why he developed an alternative by the name of LowerMyrights, that will be presented soon.
For those that cannot wait the Belgian security expert writes in a blogposting how to set Software Restriction Policies using SAFER so certain applications will be run with a fully functional “rstricted token”. In such a way even programs like Adobe Reader can be used safely.
Links: http://blog.didierstevens.com/2009/09/27/preventing-malicious-documents-from-compromising-windows-machines/
http://blog.didierstevens.com/2009/09/28/quickpot-safer-and-malicious-documents/
on SAFER: http://blogs.msdn.com/michael_howard/archive/2005/01/31/363985.aspx
polonus