Microsoft has patched a critical vulnerability in the Windows HTTP protocol stack, known as HTTP.sys, which could have devastating consequences once it’s inevitably publicly exploited.
The bulletin, MS15-034, is one of four critical bulletins issued today by Microsoft. Experts warn that exploiting the vulnerability is trivial and could lead to remote code execution and privilege escalation on a compromised machine.
“What this means is that once an attacker knows how to create the ‘specially crafted HTTP request’ they can simply start targeting every web server they can find until they hit one that is vulnerable. The first concern is that the work around provided by Microsoft is very limited and doesn’t provide IT admins much to protect themselves while they test and deploy the patch,” said Andrew Storms, vice president security services for New Context. “The second concern is the sheer number of Windows web servers. There are more Linux servers in terms of total numbers but Windows servers are more popular in the corporate environment and many of them store very valuable assets.”
Microsoft said a temporary workaround would be to disable IIS kernel caching, but cautioned that this action could cause performance issue. The vulnerability is not being exploited in the wild, Microsoft said, adding that it’s found in Windows 7, Windows Server 2008 R2, Windows 8 and 8.1, Windows Server 2012 and 2012 R2, and in Server Core installation option.
“An attacker can use the vulnerability to run code on your IIS webserver under the IIS user account. The attacker would then use an exploit for a second local vulnerability to escalate privilege, become administrator and install permanent exploit code,” said Wolfgang Kandek, CTO at Qualys. “The attack is simple to execute and needs to be addressed quickly, if you cannot patch immediately take a look at the suggested workaround in IIS caching. This is the top vulnerability for your server team if you run Windows based web servers on the Internet.”
Craig Young, security researcher at Tripwire, said the flaw appears to be related to IIS kernel caching support.
“It’s likely that we’ll see this bug being exploited in the wild in a very short timeframe,” Young said. “Interestingly enough however, MS15-034 does not affect the older Windows Server 2003 IIS platform, indicating that this bug was introduced in the newer IIS releases.”
Windows admins should also rush a critical bulletin that addresses a publicly disclosed vulnerability in Office.
MS15-033 patches three vulnerabilities that are rated critical for older versions of Office components such as Word 2007 and Office 2010, but rated important for Office 2013, SharePoint Server 2013 and Office Web Apps Server 2013.
One of the vulnerabilities, CVE-2015-1641, has been publicly disclosed and Microsoft said there are limited attacks trying to exploit the bug, which is a remote code execution memory corruption issue. There are also a pair of use-after-free vulnerabilities in Office that could lead to remote code execution.
The bulletin also patches a cross-site scripting vulnerability in Microsoft Outlook App for Mac.
Microsoft today also patched Internet Explorer. The latest cumulative update for the browser includes a number of fixes for vulnerabilities that were privately disclosed during the Pwn2Own contest last month.
MS15-032 patches 10 vulnerabilities in IE, including nine different memory corruption issues, and an ASLR bypass, none of which are being publicly exploited. The vulnerabilities range from security feature bypass, to elevation of privilege, to information disclosure, to remote code execution.
The final critical bulletin, MS15-035, patches a vulnerability in the way Windows processes certain Enhanced Metafile (EMF) graphics and images.
“The vulnerability could allow remote code execution if an attacker successfully convinces a user to browse to a specially crafted website, open a specially crafted file, or browse to a working directory that contains a specially crafted Enhanced Metafile (EMF) image file,” Microsoft said in its advisory. “In all cases, however, an attacker would have no way to force users to take such actions; an attacker would have to convince users to do so, typically by way of enticements in email or Instant Messenger messages.”
There were seven other bulletins released today, all rated important:
- MS15-036 patches an elevation of privilege vulnerabilities in SharePoint Server
- MS15-037 addresses an elevation of privilege vulnerability in Windows Task Scheduler
- MS15-038 fixes elevation of privilege vulnerabilities in Windows NTCreate Transaction Manager and MS-DOS
- MS15-039 patches a security feature bypass vulnerability in XML Core Services
- MS15-040 patches an information disclosure bug in Active Directory Federation Services
- MS15-041 patches an information disclosure vulnerability in .NET Framework
- MS15-042 patches a denial of service flaw in Windows Hyper-V
Adobe Patches Flash, ColdFusion, Flex
Adobe released updates today for Flash Player, ColdFusion and Flex. The Flash update patches a vulnerability that has been exploited in the wild, Adobe said.
The Flash update resolves 22 security issues, including CVE-2015-3043, a remote code execution bug under attack.
Affected versions are: Adobe Flash Player 22.214.171.124 and earlier versions; Adobe Flash Player 126.96.36.1997 and earlier 13.x versions; Adobe Flash Player 188.8.131.521 and earlier 11.x versions.
The ColdFusion update, meanwhile, addresses one vulnerability, CVE-2015-0345, an input validation bug that is not under attack, Adobe said.
“This vulnerability could lead to reflected cross-site scripting,” Adobe said in its advisory.