Security researchers at SANS Internet Storm Center revealed that the critical remote code execution vulnerability MS15-034 affecting the Windows HTTP protocol stack is being actively exploited in the wild. The experts explained that the MS15-034 flaw affects Windows 7, 8, and 8.1, Windows Server 2008 R2, 2012, and 2012 R2 leaving over 70 million websites vulnerable to cyber attacks.
“This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system.” states the Microsoft security bulletin.
The vulnerability resides in new IIS releases and does not impact sites that use Windows Server 2003.
The exploitation of the flaw is quite easy, attackers just need to send a specially crafted HTTP request to a vulnerable ISS server.
“The problem is that this will easily crash systems,” says Johannes Ullrich, CTO of the SANS Internet Storm Center. “It is not a denial of service, and not easily a data leakage issue like Heartbleed. But even crashing millions of IIS servers could cause significant impact, as many large sites use IIS.”
Microsoft has patched the MS15-034 flaw this week by disabling IIS kernel caching, but experts warn that this solution would cause performance decrease.
To better understand the real impact of the flaw let consider more than 70 million websites are potentially vulnerable according a survey conducted by the Netcraft firm.
“Netcraft’s latest Web Server Survey shows more than 70 million websites could be vulnerable, including Microsoft IIS servers that sit behind non-Windows load balancers. The total number of servers involved in hosting these sites stands at around 900,000, which is more than a sixth of all web-facing computers in the world.” wrote Netcraft in a blog post.
Security experts at Sans and at Qualys warned that the attack observed were conducted using an exploit code that could be easy to find in the criminal ecosystem.
“These are real attackers, as they use the version of the exploit that will crash systems,” Ullrich says. “The exploit used by researchers did not crash systems. There is currently remote code execution exploit in sight.”
“We rated it the top bulletin this month,” says Qualys CTO Wolfgang Kandek, “because the code is known to attackers already and it does not look to be very difficult [to exploit]. With Microsoft publishing the bulletin, the current owners of the exploit will most likely sell it off to as many interested parties as possible to get maximum benefit from its now limited lifespan. I continue to rank it as: ‘Fix as quickly as possible.'”
The experts urge to update the systems in order to patch the MS15-034 flaw.
(Security Affairs – MS15-034, Microsoft)