4/15/2015

Microsoft HTTP.sys remote execution vulnerability

Digital Edge is committed to providing the highest levels of security within all the IT infrastructure environments under its care. In order to achieve this utmost goal for all of our clients, we continuously maintain vigilance both on the productive side of IT as well as on its destructive side. We thus send out news and security bulletins such as this one from time to time to ensure that our clients are informed and educated on any important developments in IT security and are fully aware of what we are doing to ensure that we and our clients are always at the Cutting and at the Digital Edge of technology.  

On Tuesday, April 14, 2015, Microsoft Issued a cumulative patch for multiple critical vulnerabilities, one of which could be dangerous and needs to be patched urgently.

The Digital Edge Security Team has analyzed the reported details and one vulnerability raises a particularly high level of concern and attention. Security Bulletin ID # MS15-034 can be potentially very dangerous very soon. The vulnerability allows remote code execution using system level privileges with standard HTTP protocol. 

Put simply, someone can figure out how to issue a request to your web site running on IIS and gain access to your server. Firewalls or other security measures will not protect your server from such an attack. Our security team has researched the black hat network and did not find any worms or crawlers exploiting this weakness using automation on a massive scale but we are quite sure that it will not take long for hackers to commence testing and exploiting this hole in the Microsoft Windows defense.

This is the second vulnerability discovered in HTTP.sys module of Windows Operating system. In 2013 a vulnerability allowing a hacker to put Windows system running IIS 7 in infinit loop was discovered by security engineers. MS15-034 is even worse. Someone executing a code under system account context. System account context has highest privileges and can allow infecting remote computer, deploying remote control software or stealing information. 

The Digital Edge Security Team started receiving messages from other security professionals in the industry – the “black hats” and the “white hats”. Everybody in agreement that this is a pretty high priority.

One credible security expert, discussing possibility of automated crawler or a worm and any references of its possibility online said: “No, no one would publish an exploit for this anytime soon because it worth so much money to .gov contractors and the black market.”. So even everything is quiet, it doesn’t mean that there is no massive exploitation or automated probing going on today.

The problem can be fixed by applying cumulative patch from April 14, 2015 or by disabling IIS kernel caching, but this can impact overall server performance. 
 
Digital Edge recommends applying the patch as soon as possible (note, Fully Managed clients will be patched by Digital Edge).

 

More news:

The Government Accountability Office reports that some newer aircraft such as the Boeing 787 Dreamliner, the Airbus A350 and Airbus A380 could be vulnerable to attack through their advanced high tech cockpits which are integrated with these aircraft’s WiFi systems for on board passengers.

Digital Edge is committed to securing all of its controlled IT infrastructure environments, to advising its IT community about possible vulnerabilities, newly discovered weaknesses and hacks, and to providing security news and events.

If you feel that you need assistance from the Digital Edge Security team please contact us at support@digitaledge.net

Was this article helpful?
Michael Petrov
Founder, Chief Executive Officer

Michael brings 30 years of experience as an information architect, optimization specialist and operations’ advisor. His experience includes extensive high-profile project expertise, such as mainframe and client server integration for Mellon Bank, extranet systems for Sumitomo Bank, architecture and processing workflow for alternative investment division of US Bank. Michael possesses advanced knowledge of security standards such as ISO 27001, NIST, SOC and PCI that brings into any solutions delivered by Digital Edge. Security solutions and standards are expended into public cloud such as AWS and Azure.

LET'S TALK: 800-714-5143