A useful addition to the kernel could be a flag that disallows a thread from launching child processes.
Then when doing any of this risky stuff like handling gif/png/ASN.1/etc data from outside sources you can handle it in a worker thread that simply isn't allowed to launch external processes and thus sidestep a lot of these exploits.
Then when doing any of this risky stuff like handling gif/png/ASN.1/etc data from outside sources you can handle it in a worker thread that simply isn't allowed to launch external processes and thus sidestep a lot of these exploits.
Please get on that Apple kernel devs...