Recently Patched Windows Flaw Exploited in the Wild for DoS Attacks

[Reefa]

SANS Institute researchers advise system administrators to update their Windows operating systems as soon as possible because one of the critical vulnerabilities patched by Microsoft earlier this week is being exploited in the wild.

The vulnerability in question, CVE-2015-1635 or MS15-034, plagues the HTTP protocol stack (HTTP.sys). The component is used in Internet Information Services (IIS) versions found in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

Rated “critical” by Microsoft, the security hole can be exploited by sending specially crafted HTTP requests to an affected system. According to Microsoft, the flaw can be exploited for remote code execution.

While so far no one appears to have been able to develop an exploit for remote code execution, a denial-of-service (DoS) exploit was made publicly available shortly after Microsoft announced patching the vulnerability.

On Thursday, researchers at the SANS Institute reported seeing Internet-wide attempts to take down vulnerable systems by exploiting this vulnerability.

Johannes Ullrich, Chief Technology Officer of the SANS Internet Storm Center, noted that the hits detected by their honeypots are not just scans performed by someone who might be trying to determine if systems are vulnerable.

Instead, they are DoS attacks designed to disrupt affected systems.

Errata Security has attempted to conduct an Internet-wide scan to determine how many web servers are vulnerable, but the results of the test are inconclusive. On the other hand, Netcraft says more than 70 million websites hosted on a total of roughly 900,000 servers could be vulnerable.

Ullrich has noted that the vulnerability can also be leveraged for information disclosure, but the proof-of-concept exploits developed so far are not reliable.

Administrators are urged to install the updates provided by Microsoft to protect their systems against attacks. A workaround described by Microsoft involves disabling IIS kernel caching, but the company warns that this can cause performance issues.

Some experts have also pointed out that IIS is possibly not the only vulnerable piece of software because the HTTP.sys component is used for other services as well.

securityweek