On April 14, 2015, Microsoft released security advisory MS15-034 documenting a critical vulnerability in the Windows HTTP.sys component. If successfully exploited, this vulnerability could lead to remote code execution or denial of service.
When the advisory was initially released there were no known attacks occurring in the wild. After the patch was released, a third-party developed proof of concept code to scan for the vulnerability that may also cause a denial of service.
A remote attacker that successfully exploits this vulnerability could potentially execute malicious code in the context of the System account or create a denial of service condition.
Please see "UISO Recommendations" and "Workarounds" below for further steps that must be taken.
A full list of affected operating systems and software is available in Microsoft Bulletin MS26-034. Affected software includes the HTTP.sys component of the following Windows platforms:
- Windows 7
- Windows 2008 R2
- Windows 8
- Windows 2012 (Standard and Core)
- Windows 8.1
- Windows 2012 R2 (Standard and Core)
Using network sensors, the University Information Security Office (UISO) monitors the network for hosts being exploited by attackers. As of April 16th, UISO has observed attackers scanning for vulnerable hosts. These scans may result in denial of service on unpatched systems.
In the UISO's opinion, it is likely attacks based on this vulnerability will increase in the near future due to the wide range of systems affected.
System administrators should install the patch on all publicly facing servers that utilize the HTTP.sys component (including IIS) as soon as possible.
While IIS may be the largest attack surface, other services that use the HTTP.sys component and Kernal Mode Caching may be vulnerable. A Microsoft developer confirmed Remote Powershell and WinRM do not use Kernel Mode Caching. Other Windows components that use HTTP.sys include Network Discovery Service, Active Directory Federation Services, and SQL Reporting Services. HTTP.sys may also be used by third-party software installed on systems. System administrators can use the command "netsh HTTP show servicestate" to view active HTTP queues managed by HTTP.sys.
As of April 14th, a patch is available for affected systems. System administrators who are unable to install the patch can implement the workaround provided in the Microsoft bulletin; however, this may have a performance impact and is only for IIS, not other potentially affected components that use HTTP.sys.