Microsoft recently released details about the newest vulnerability (MS15-034) in the Windows HTTP stack’s armor. With other recent problems in Microsoft patches, the problem may have been downplayed a bit to save face. This vulnerability, however, is more serious than it initially seemed.
The MS15-034 vulnerability is widespread. Although Windows servers are most at risk, this problem affects most products that run Windows. The chink in question lies in the HTTP.sys component, which is a kernel-mode device driver that processes HTTP requests quickly.
This component has been an integral part of Windows since 2003 and is present in all versions up to Windows 8.1. This means that any device running Windows without up-to-date patches is at risk.
It isn’t difficult to exploit this vulnerability. The only thing Microsoft is divulging about how MS15-034 can be used to compromise devices is that it requires “a specially crafted HTTP request.” It seems that this information is deliberately vague.
All one has to do is send an HTTP request with a modified range header, and access to data is granted, although sometimes limited. A similar attack was documented in 2011 on the Apache HTTPD Web server that was later patched.
There is good news though. As in other areas of life, prevention is far more effective than trying to deal with a problem’s aftermath. It isn’t difficult to protect your devices from the MS15-034 vulnerability.
The first step is to ensure that your server has the latest updates that include the patch to fix the problem.
If your server hosts a publicly accessible application, you can verify your server’s vulnerability by going to https://lab.xpaw.me/MS15-034, enter your server’s URL, and press the Check button for an instant report on your site.
If you then see the report that the website has been patched, you’re safe; otherwise, that particular system will need to be patched.