The vulnerability, which was discovered by Google engineer Tavis Ormandy, lies in the Windows Virtual DOS Machine (VDM) subsystem. The advisory instructs users to disable VDM as a workaround.
Microsoft says it is not aware of any attacks using the vulnerability, but explains:
An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.