A newly patched vulnerability in Windows has set alarm bells ringing because it can be used to remotely execute code on unpatched computers. Unsuccessful attempts may result in a blue screen of death (BSoD) condition, which could be used as a means to perform denial-of-service (DoS) attacks against computers running Microsoft Internet Information Services (IIS) servers.
The Microsoft Windows HTTP Protocol Stack Remote Code Execution Vulnerability (CVE-2015-1635) was patched this week, as outlined in the Microsoft security bulletin MS15-034. This vulnerability affects Windows 8.1, Windows 8, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, and Windows 7. If left unpatched, the vulnerability could enable remote code execution if an attacker sends a specially crafted HTTP request to a Windows computer.
Johannes Ullrich of the SANS Internet Storm Centre warned that DoS exploits for the vulnerability are already widely available. The fact that IIS has more than a third of the web server market means that there is a race on to get web servers patched before attacks begin.
According to the latest market research from Netcraft, more than 70 million websites could be vulnerable if unpatched.
Figure. Microsoft IIS runs on just over a third of all web servers (Source: Netcraft)
While attention has been focused on the vulnerability’s potential to attack Microsoft IIS servers, it affects more than just IIS. HTTP.sys is used by Windows to parse HTTP requests and any application using HTTP.sys could be affected.
Protection Symantec and Norton products protect against exploits of this vulnerability with the following IPS signature: