The update allows administrators to configure domain-joined computers to use auto update without having access to the Windows Update site, configure domain-joined computers to independently opt in to auto update for both trusted and disallowed CTLs, as well as examine the set of roots in Microsoft root programs and to choose a subset of them for distribution via Group Policy, Microsoft said.
Microsoft did not patch the zero-day vulnerability disclosed recently by Google security engineer Tavis Ormandy, Kandek said. That vulnerability is an elevation of privilege (EoP) one and cannot be used for remote code execution, but it could be used in a chained attack together with other vulnerabilities, so attackers might attempt to use it, he said.
Microsoft probably already has a patch for it, but it hasn't been tested enough so it will release it next month, Kandek said. However, if the vulnerability starts to be widely exploited in the meantime, the company might release the patch sooner, he said.