Critical patch for flaw hitting all MS versions

News by Max Cooter

This vulnerability, if left unpatched, affects every flavour of Windows utilising the IIS services version 6+ to support web sites.

A vulnerability identified by Microsoft could cause serious problems to website administrators and small business owners. The exploit, which attacks sites through the HTTP protocol, could be used to instigate Denial of Service (DoS) attacks or take-over a web server.

The exploit was one of several patched by Microsoft in its monthly Patch Tuesday round-up of security fixes.  Security fix MS15-034, described as critical, offers a solution to the issue.

Sysadmins should ignore this fix at their peril suggest Stephen Coty, chief security evangelist at Alert Logic who told “This vulnerability, if left unpatched, affects every flavour of Windows that is utilising the IIS services version 6+ to support web sites. HTTP.sys is the system HTTP stack in Microsoft Windows used by IIS, as well as any other application or service that serves HTTP. The result of leaving this unpatched would be a denial of service and potentially remote code execution through the web interface.”

Other security experts agree.  According to Ben Campbell, security consultant with MWR, the HTTP exploit was particularly dangerous because IIS web server is a product so widely used.

“The exploit will crash the server completely taking down any services. For ecommerce websites this could be especially painful as it will reduce their revenue immediately. An attacker can repeatedly send out the attack for little cost causing costly interventions for a systems administrator to supply a patch,” Campbell told SC.  

The problem is a long-standing one says Microsoft, although there are no indications that it had been exploited previously. However, according to Campbell, attacks have now been spotted in the wild. It's not something whose effects could be negated by using the HTTPS protocol, he added.

There are two ways in which IIS servers could be affected. The simplest is through a Denial of Service exploit.  “There is a single command run that is publically available. As such it would be easily exploitable by a ‘script kiddy',” said Campbell. But more worryingly, there is the chance that a skilled hacker could develop working code to take over a server.  According to Campbell, Microsoft has indicated that this is a possibility, although there is no evidence that anyone has done. However, he added: “There are reports that this exploit can be used to leak system memory from the affected system which may be a stepping stone to exploitation.”

Even more worryingly, desktop machines running under IIS could also be affected. Campbell said: “The Windows component HTTP.sys  is used to run a number of different services on normal user workstations. However, only IIS enables a feature called ‘Kernel Caching' which this exploit requires to be successful.” However, he added, other users could be at risk.  “Other custom services which do use this feature, and run via the HTTP.sys driver, could be vulnerable, but we have yet to identify any instances.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews