4 no-bull facts about Microsoft's HTTP.sys vulnerability

sec vulnerability lock bolt
Credit: Shutterstock

The latest Web server vulnerability affects desktop systems as well as Microsoft products

Earlier this week, between all of its other patch meltdowns, Microsoft published details about a vulnerability (MS15-034) that affects the Windows HTTP stack.

Sounds like a problem that only affects Windows servers, right? Wrong -- it hits a whole range of Windows products, including desktop versions of Windows.

Here are four of the most crucial notes about this vulnerability, for which Microsoft has already readied a patch.

1. The problem affects systems that aren't servers or even running IIS

HTTP.sys, the vulnerable Windows component in this issue, is a kernel-mode device driver used to process HTTP requests at high speed. IIS 6.0 and up make use of it, meaning it's been a fixture of Windows since 2003. (Not all programs that work as Web servers in Windows have made use of HTTP.sys, as this post from 2011 documented.)

The real problem is that HTTP.sys isn't present in only the server versions of Windows -- it's also present in Windows 7 and Windows 8 (and 8.1). That means any desktop systems notbeing patched diligently are also vulnerable to this issue.

2. It's easy to exploit

Microsoft has been deliberately vague about what it would take to exploit this vulnerability, saying only "a specially crafted HTTP request" could be used to trigger it. Mattias Geniar of hosting solutions provider Nucleus claims to have tracked down "the first snippets of exploit code" for the issue.

3. This variety of attack has been used on other Web servers

According to Geniar, the attack can be executed by simply sending a single HTTP request with a malformed range request header, a technique normally used to allow a host to retrieve a portion of a file from a Web server.

Back in 2011, a vaguely similar attack was documented for the Apache HTTPD Web server. That vulnerability was patched soon enough, and a workaround (note: Dutch text on page) could also be implemented by editing the .htaccess file for a given website. But this attack is alleged to work on systems that aren't formally running a Web server, complicating matters.

4. You can easily check if you're vulnerable

Now for some good news: It's relatively easy to tell if a server you're dealing with has been patched or not. Developer "Pavel" has created a website (with open source code) that allows any public-facing Web server to be tested for the presence of the bug. If the tool says anything other than "[domain] is patched," you'd better look into updating the system in question.

Bottom line: Patch if you haven't, and be wary of how this problem can potentially affect systems that were never meant to be servers in the first place.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies