Critical MS15-034 Addresses HTTP.sys Security Vulnerability

As mentioned in the update summary post for April, the Microsoft MS15-034 update should be prioritized for deployment and installation this month due to its severity and ease of exploitation. Please allow me to explain the issue being resolved in more detail.

Within server and client versions of Windows a driver called HTTP.sys exists to process HTTP requests i.e. this flaw does not only affect Windows systems that have IIS installed and are being used as web servers. Any custom software that your company runs that uses Microsoft’s HTTP.sys would also be vulnerable. Drivers run with maximum privileges within Windows namely in kernel mode so exploiting this will result in the exploit code also obtaining kernel mode privilege.

A specifically crafted HTTP request could cause any Windows system running this vulnerable to blue screen (essentially a denial of service attack). However, this is not the full extent of the flaw since Microsoft’s bulletin mentions that remote code execution is possible.

Exploit code for this flaw is emerging, this will only become more widespread once the patch for this issue is reverse engineered to see exactly how it resolves the issue. If you wish to know if any public facing web server that you are running is vulnerable to this issue, you can visit the following website and enter the address of your website to test it:

https://lab.xpaw.me/MS15-034/

Further technical analysis of this flaw including how a quite reliable DoS attack can be achieved with this flaw is included in the following blog post:

http://www.securitysift.com/an-analysis-of-ms15-034/

An analysis of the changes included in the patch are detailed in the following link:

http://blog.beyondtrust.com/the-delicate-art-of-remote-checks-a-glance-into-ms15-034

Please update all of your Windows systems with the MS15-034 update as soon as possible. Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s