News

Microsoft’s bumper Patch Tuesday misses newly-discovered vulnerability

Microsoft's record-equalling Patch Tuesday security update for August did not include a fix for a newly-discovered flaw in several versions of Windows.

The update consisted of 14 bulletins, eight rated critical and six rated important, that address 34 vulnerabilities, not including a buffer overflow vulnerability reported just days before the update was issued.

Research service Vupen Security said the vulnerability could be exploited to cause a denial of service or potentially gain elevated privileges, according to US reports.

Vupen confirmed the vulnerability on fully patched versions of Microsoft Windows 7, Windows Server 2008 SP2, Windows Server 2003 SP2, Windows Vista SP2, and Microsoft Windows XP SP3.

Research service Secunia said the vulnerability is linked to a boundary error in win32k.sys, which could be used to trigger a buffer overflow and allow attackers to gain escalated privileges and execute code.

But the flaw should be difficult to exploit, according to the security researcher who first reported it.

The researcher, known as Arkon, said in a blog post that he felt it was safe to disclose the vulnerability because it is extremely difficult to exploit.

Microsoft said the software company is not aware of attacks that try to use the reported vulnerability or of any customer impact.

According to Microsoft, the vulnerability allows only local elevation of privilege, which means it allows attackers to gain system-level privileges only after they have obtained an account on the target system.

"For this issue to be exploited, an attacker must have valid log-on credentials on the target system and be able to log on locally, or must already have code running on the target system. The vulnerability cannot be exploited remotely, or by anonymous users," the company said in a blog post.

Microsoft said it will not be releasing a security advisory for this issue, but it will be included in a future security update.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy