What is a privilege escalation attack?

A privilege escalation attack is when a malicious user or software process manages to get higher permissions – and thus more control over a computer system – than would usually be granted.

This can be achieved by exploiting a bug, vulnerability, poor configuration in a software application or operating system, exploiting stolen login credentials, or social engineering scenarios designed to trick an authorised user into giving a malicious process or user access to things they shouldn’t.

Stolen credential attacks are a very good example of why you should regularly check to see if your passwords have been compromised. Other exploits take advantage of features that are actually working as they’re supposed to, such as the venerable Windows Sticky Key exploit, which could leverage accessibility features to open a command shell on some versions of Windows.

The most newsworthy privilege escalation attacks are those that exploit “zero-day” (previously unknown) software vulnerabilities that haven’t yet been discovered and widely patched (protected against via a software update).

New privilege escalation vulnerabilities turn up – and are usually promptly patched – every couple of weeks. They’re usually not announced until fixes are available and most are restricted to specific software applications.

Newsworthy examples with a broader reach have included:

• a 2021 remote code injection vulnerability in Apache Log4j affected any Java server that used the utility to keep its logs
• 2021’s HiveNightmare/SeriousSAM allowed unprivileged Windows users to gain admin rights by exploiting registry access and the Security Account Manager that authenticates local users
• 2016’s Dirty Cow, which allowed unprivileged users to write to read-only files on Linux, including the password file
• 2022’s Dirty Pipe, affecting Linux and Android kernels, allows unprivileged users to inject malicious code, which can again be used to overwrite password files

And yes, major vulnerabilities frequently do get entirely ridiculous names.

The good news for average users is that most of these vulnerabilities require access to a less privileged local account to be taken advantage of, and home PCs by default don’t usually expose themselves to the internet in easily exploitable ways.

Am I in danger of a privilege escalation attack?

If your standard user accounts (and any accounts used by specific applications) are secured with strong passwords and solid network defences, such as a properly configured firewall between local systems and the wider internet, the practical threat to your average home user is minimal.

It’s more of a threat for business networks, virtual machine hypervisors (servers that host and control virtual machines, found both in local enterprise networks and online server hosting) and internet-facing systems such as web or game servers. The log4j vulnerability I mentioned can be exploited on unpatched versions of Minecraft, allowing bad actors to execute software on both vulnerable servers and connected clients.

Needless to say, Minecraft’s developer, Microsoft-owned Mojang, was quick to roll out patches for official versions of the client, but that still left some modified versions of both client and server exposed until manually patched.

As a user, if you keep your operating system and software up-to-date, then you’ve little to worry about. Many antivirus and security suites include update and vulnerability scanners to help you keep up.

If you’re a system administrator, being aware of vulnerabilities as soon as they’re announced and making sure that you apply patches promptly is a significant part of your responsibilities.