The root of the problem: Discretionary access control

In an operating system using discretionary access control (and most modern small- to midrange systems do) a user starts a program and transfers all her rights to this program. On the resources they own, users can perform arbitrary changes of security settings.

In those systems the identity used to run a program or a service is therefore extremely important. There is no concept of restricting authority because it is unclear what a program might do with a users rights.

In other words: the fundamental principle of security, the policy of least authority (or privilege) is violated by those systems and they provide a playground for viruses and trojan horses. It is important to understand that this is a built-in feature of such systems.

Attacks on discretionary systems often follow a stair pattern: after gaining entry into a program running with a relatively powerless identity the attacker works her way up by then attacking other programs. Why can she do this? Because the first program that she has taken over is not limited in its actions. It is only limited in with respect to the authority it can use with those actions.

Of course, network available services running with high privileges (identity) or complex setuid programs are even more dangerous.