14 DAY TRIAL // Microsoft has confirmed a vulnerability in the win32k.sys kernel-mode driver, which affects all supported versions of the Windows operating system and can be exploited by local attackers to escalate privileges.
The flaw was publicly disclosed by a security researcher last week and some vulnerability research companies had different opinions about its severity.
"The vulnerability is caused due to a boundary error in win32k.sys within the 'CreateDIBPalette()' function when copying colour values into a buffer allocated with a fixed size when creating the DIB palette," Secunia, which rates the bug as less critical, explains.
The flaw got significant coverage in the media, because of reports that it could also allow for arbitrary code execution in certain circumstances.
Microsoft set out to investigate the bug and now reports that only local privilege escalation is possible.
"This type of issue allows attackers to gain system-level privileges after they have already obtained an account on the target system.
"For this issue to be exploited, an attacker must have valid log-on credentials on the target system and be able to log on locally, or must already have code running on the target system," Jerry Bryant, group manager with the Microsoft Security Response Center (MSRC), notes.
As a result, the company doesn't plan to issue a security advisory in advance and will address the flaw in a future security update, possibly during next month's Patch Tuesday.
In related news, Microsoft released a batch of updates yesterday, which address eight critical-severity issues, six important-severity and 4 high-priority ones.
Meanwhile, VUPEN, a reputed vulnerability research company, reports that none of the bugs it discovered in IE, Office or Windows, since it stopped sharing info with affected vendors, were covered in yesterday's Security Bulletin.
This includes a recently announced flaw which the company says might allow attackers to bypass killbits and re-enable previously blocked ActiveX exploits.
You can follow the editor on Twitter @lconstantin