Very recently, Microsoft released details about the newest vulnerability (MS15-034) in the Windows HTTP stack’s armor. With other recent problems in Microsoft patches, the problem may have been downplayed a bit to save face. This vulnerability, however, is more serious than it initially seemed, and here is some important information about the issue that has slipped under many people’s radar:
The MS15-034 vulnerability is widespread. Although Windows servers are most at risk, this problem affects most products that run Windows. The chink in question lies in the HTTP.sys component, which is a kernel-mode device driver that processes HTTP requests quickly. This component has been an integral part of Windows since 2003 and is present in all versions up to Windows 8.1. This means that any device running Windows without up-to-date patches is at risk.
It isn’t difficult to exploit this vulnerability for an attack. The only thing Microsoft is divulging about how MS15-034 can be used to compromise devices is that it requires “a specially crafted HTTP request.” It seems that this information is deliberately vague. Bits of exploit code are already floating about in cyber land, and similar attacks have been effected in the past. All one has to do is send an HTTP request with a modified range header, and access – although sometimes limited – to data is granted. A similar attack was documented in 2011 on the Apache HTTPD Web server that was later patched, but it didn’t take long for a workaround solution to rear its head in the form of editing a website’s .htaccess file.
There is good news though. As in other areas of life, prevention is far more effective than trying to deal with a problem’s aftermath. It isn’t difficult to protect your devices from the MS15-034 vulnerability. The first step is to ensure that your server has the latest updates that include the patch to fix the problem. If your server hosts a publicly accessible application, you can verify your server’s vulnerability by going to https://lab.xpaw.me/MS15-034, enter your server’s URL, and press the Check button. If you then see the report that the website has been patched, you’re safe; otherwise, that particular system will need to be patched.