Security Vulnerabilities typically have Common Vulnerabilities and Exposures(CVE) numbers assigned to them so that they can be uniquely identified, as well as a Common Vulnerability Scoring System(CVSS) Risk Score as found in the National Vulnerability Database(NVD). But what makes one vulnerability worse than the rest? Some vulnerabilities are worse than others, which is generally reflected in the different CVSS Risk Scores… but why?
The goal of most attackers is to get a computer to execute arbitrary code at the highest privileges possible. If an attacker is able to execute arbitrary code at maximum privileges, this generally means that the attacker will be able to get the computer to do anything they want, they just have to tell it what to do. Once this is achieved there are many different things that can be done to further the attackers goals, and which approach is used from this point depends on those goals, but just realize that this is the endgame as far as the exploitation of a particular device is concerned. I’m not going into more detail about what possible things are done after this point here.
Since the goal of most attackers is to get a computer to run arbitrary code, then one of the worst kinds of vulnerabilities is called “Remote Code Execution“(RCE) which is exactly that. This means that the vulnerability isn’t just theoretical, but that it can be demonstrated to actually allow Remote Code Execution on a target system. Sometimes the Remote Code Execution vulnerability means that the attacker can run code only at the privleges of the current user of the system. In this case, the current user may not have administrative rights or root privleges. In this case, an attacker can pair a “Remote Code Execution” with a “privilege escalation”. This kind of attack generally means that code running as the current user can get administrative or root privleges even if the current user does not otherwise have the rights to run with those privleges themselves. If the initial Remote Code Execution already allows the attacker to run code with administrative rights or root privleges, then that is even worse since an additional “privilege escalation” is not required. It is normal for an attacker to use many different vulnerabilies all at the same time to be able to affect as many systems as possible with maximum effectiveness, so you can’t just consider a single vulnerability in a vacuum, but also consider how it can be used in conjucntion with all other vulnerabilities. This is why it is critical to patch systems as fully as possible.
All this is to say, if a single vulnerability allows Remote Code Execution with maximum privileges, then it is worse than those that would allow Remote Code Execution with limited privileges, and it is about as bad as it gets. However, these are not the only factors in a vulnerability’s CVSS Risk Score, or how bad of a vulnerability it is. Another important thing to consider is how many computers could be affected by this vulnerability? In other words, how large is the potential pool of target devices that could be exploited by an attacker with this particular vulnerability? In the case of Windows, if a vulnerability only affects Windows 2000 or older systems, then there is a much smaller pool of potential targets than a vulnerability that would affect all versions of Windows. Similarly, if a vulnerability only affects systems that are unpatched, then it has a much smaller pool of potential devices to exploit than a vulnerability that would affect systems that are fully patched at the time that the vulnerability is discovered.