Labs April 14, 2015

Vulnerability in Windows http.sys could allow DOS or remote code execution

Yesterday Microsoft has patched a critical vulnerability in Windows HTTP stack (http.sys), which would have extreme consequences if an exploit is publicly disclosed.

Up until this writing (15-04-2015 17:00) no public exploit exists.

The vulnerability is assigned CVE-2015-1635 and MS15-034.

Where is it based?

Using a specially crafted HTTP GET request, an attacker can trivially execute code remotely on an IIS server (or other exposed service taking advantage of the vulnerable code in http.sys), in the context of the System account.

DOS vectors may also apply and is under investigation by our engineers.

What is affected?

Please refer to https://support.microsoft.com/en-us/kb/3042553 for affected versions

What is to be done?

Microsoft has published a update KB3042553.

On publicly exposed servers immediately ensure (via update history) that KB3042553 has been successfully installed.

You can use WSUS (if utilized) to ensure update was installed successfully.

If above conditions do not meet, manually update and ensure.

Source of information

https://technet.microsoft.com/en-us/library/security/ms15-034.aspx