Critical Microsoft HTTP.sys Remote Code Execution Vulnerability
Microsoft have released over this week several security patches that comes to fix critical security vulnerabilities. One of these vulnerabilities is an HTTP.sys security issue that do not properly handle HTTP-requests and may lead to DoS or remote code execution.
MS15-034 bulletin comes to fix this issue and it has the critical severity because it is remotely exploitable and the exploit is published. Affected windows operating systems include Windows 7, Windows Server 2008 R2, Windows 8 and Windows 8.1, Windows Server 2012 and Windows Server 2012 R2.
At the moment Microsoft have released the patch for this issue on all systems but you can also apply a workaround by disabling IIS core caching. this is not recommended because it will obviously may lead to performance degradation.
Exploiting the vulnerability will crash the windows and display the following message:
HTTP.sys Remote Code Execution exploit is already published and there is a check that you can use against your site to verify if you are vulnerable. this scan may cause a buffer overflow. The vulnerability is not affecting old version of IIS running on windows 2003 which is used by about 130 million servers on internet.
According to sans institute they have detected activities on their honeypot servers that running are the exploit against this vulnerability. “We are seeing active exploits hitting our honeypots from 18.104.22.168. We will be going to Infocon Yellow as these scans use the DoS version, not the “detection” version of the exploit. The scans appear to be “Internet wide”.”
If you are using IIS with a recent windows server that can be affected by this vulnerability make sure to scan your server and check if you are vulnerable next you should test/apply the patch to address the issue. you can find the full information from Microsoft over this link.