The vulnerability is about the user profile service which has an issue in the way it handles impersonation, the first few resources in the profile get created under the user’s token, but this changes to impersonating Local System part of the way through. Any resources created while impersonating Local System might be exploitable to elevate privilege.
Read Google’s disclosed information related to the vulnerability here – https://code.google.com/p/google-security-research/issues/detail?id=123&can=1
Microsoft made it to January’s Patch Tuesday and released a fix, (the same day the bug was made public). A quick look at Microsoft complementary security bulletin states that the security update addresses the vulnerability by correcting how the Windows User Profile Service validates user privileges to load registry hives.
Furthermore, Microsoft adds that an authenticated attacker who successfully exploits the vulnerability could leverage the Windows User Profile Service (ProfSvc) to load registry hives associated with other user accounts and potentially execute programs with elevated permissions. The security update addresses the vulnerability by correcting how the Windows User Profile Service validates user privileges to load registry hives.
Read Microsoft Security Bulletin here – https://technet.microsoft.com/library/security/MS15-003