The luring attack is a type of elevation-of-privilege attack where the attacker “lures” a more highly privileged component to do something on his behalf. The most straightforward technique is to convince the target to run the attacker's code in a more privileged security context (Item 15).

Imagine for a moment that you normally log in to your computer as a privileged user, perhaps as a member of the local Administrators group. An acquaintance sends you a zipped executable file and asks you to run it. You unzip the file to your hard drive and see a program called gophers.exe. Now let me state up front that you should never run code on your machine that you don't trust. The following example shows that even the ...