Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Microsoft’s bumper Patch Tuesday misses newly-discovered vulnerability

The update consisted of 14 bulletins, eight rated critical and six rated important, that address 34 vulnerabilities, not including a buffer overflow vulnerability reported just days before the update was issued.

Research service Vupen Security said the vulnerability could be exploited to cause a denial of service or potentially gain elevated privileges, according to US reports.

Vupen confirmed the vulnerability on fully patched versions of Microsoft Windows 7, Windows Server 2008 SP2, Windows Server 2003 SP2, Windows Vista SP2, and Microsoft Windows XP SP3.

Research service Secunia said the vulnerability is linked to a boundary error in win32k.sys, which could be used to trigger a buffer overflow and allow attackers to gain escalated privileges and execute code.

But the flaw should be difficult to exploit, according to the security researcher who first reported it.

The researcher, known as Arkon, said in a blog post that he felt it was safe to disclose the vulnerability because it is extremely difficult to exploit.

Microsoft said the software company is not aware of attacks that try to use the reported vulnerability or of any customer impact.

According to Microsoft, the vulnerability allows only local elevation of privilege, which means it allows attackers to gain system-level privileges only after they have obtained an account on the target system.

"For this issue to be exploited, an attacker must have valid log-on credentials on the target system and be able to log on locally, or must already have code running on the target system. The vulnerability cannot be exploited remotely, or by anonymous users," the company said in a blog post.

Microsoft said it will not be releasing a security advisory for this issue, but it will be included in a future security update.
 

This story was first published by Computer Weekly

What’s Hot on Infosecurity Magazine?