Windows HTTP.Sys vulnerability, “Heartbleed for windows”

If you are not aware, the SANS Internet Storm Center took the unusual step yesterday to raise the internet threat level from Green to Yellow in response to the Windows HTTP service vulnerability (https://isc.sans.edu/forums/diary/MS15034+HTTPsys+IIS+DoS+And+Possible+Remote+Code+Execution+PATCH+NOW/19583/, or https://technet.microsoft.com/library/security/MS15-034 edit: fixed link to point to the correct vuln).

This vulnerability was originally published as a denial of service request; it can be used to blue screen servers with a single request. however, since it was released, it’s been discovered that this vulnerability can be used to read kernel memory, and suspicion is mounting that this could be used to exploit a server remotely with a well-crafted series of requests. Denial of service attacks ARE HAPPENING IN THE WILD RIGHT NOW.

The vulnerable component is part of the kernel library for processing HTTP request. this library is used for IIS and lots of other windows based services, for example, Exchange, Lync, and ADFS all rely on IIS for this behavior. Even some clients apps use this library for http communications.

“Heartbleed for windows” is a rough analogy, but probably more accurate than not.

This is a good opportunity to talk to your clients; First to make sure they are aware and reacting to this critical vulnerability, and if they need any help getting their security feet under them, and Second to talk about planning for the general case with patch management over the long term so this type of issue doesn’t take them by surprise in the future.