However, it works great to prevent user-mode or kernelmode
rootkits from being loaded via a client-side vulnerability in the browser.
Only Vista has the built-in infrastructure to make Protected Mode work. However,
given a little more work, you can run at a reduced privilege level on down-level
Chapter 15: Client-Side Browser Exploits
385
PART IV
platforms as well. One way is via a SAFER Software Restriction Policy (SRP) on Windows
XP and later. The SAFER SRP allows you to run any application (such as Internet
Explorer) as a Normal/Basic User, Constrained/Restricted User, or as an Untrusted User.
Running as a Restricted or Untrusted User will likely break lots of stuff because
%USERPROFILE% is inaccessible and the registry (even HKCU) is read-only. However,
running as a Basic User simply removes the Administrator SID from the process token.
(You can learn more about SIDs, tokens, and ACLs in the next chapter.) Without administrative
privileges, any malware that does run will not be able to install a key logger,
install or start a server, or install a new driver to establish a rootkit. However, the
malware still runs on the same desktop as other processes with administrative privileges,
so the especially clever malware could inject into a higher privilege process or remotely
control other processes via Windows messages.
Pages:
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697