Denys Rudyi - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

April 2015 Patch Tuesday addresses critical HTTP.sys flaw

Microsoft's April 2015 Patch Tuesday release is lighter than usual with 11 total bulletins, but experts say that system admins should immediately install a critical HTTP.sys patch for Windows Server.

Microsoft's April 2015 Patch Tuesday release today addresses a zero-day flaw in Office, and patch management experts say system admins should also take special notice of the Windows Server patch.

The release, which Microsoft calls Update Tuesday but is still widely known as Patch Tuesday, included 11 total bulletins, four of which were labeled as "critical."

On top of the priority list according to multiple experts is MS15-034, a critical bulletin that only patches a single vulnerability (CVE-2015-1635), but has been hightlighted as one that system admins should patch immediately.

Microsoft said it is a vulnerability in HTTP.sys that could allow remote code execution through the use of a specially crafted HTTP request, and it affects Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

Ryan Krause, vulnerability audit development manager for Phoenix-based BeyondTrust Software Inc., said that this vulnerability takes top billing because it can "allow an unauthenticated attacker to remotely execute code in the context of the System account.

"Because this flaw exists in the HTTP.sys driver the code is executing at a higher privilege level, hence the System context," Krause said. "If you're going to patch anything today, patch this, because nobody can afford to leave an unauthenticated remote code-execution flaw exposed to attackers for very long."

Craig Young, security researcher for Tripwire Inc., based in Portland, Ore., agreed, adding that this vulnerability will likely be exploited in the wild very soon.

"At first glance it appears that this flaw is related to IIS kernel caching support as it pertains to processing crafted HTTP request headers and will likely see exploitation in the wild on a short timeframe," Young said. "For server admins, it will be top priority to make sure that the HTTP.sys patch is applied or kernel caching is disabled on all affected systems including IIS servers used in other Microsoft server products."

MS15-033 is a critical bulletin that includes five patches for Microsoft Office, and Wolfgang Kandek, chief technology officer for security vendor Qualys Inc., based in Redwood Shored, Calif., says the one to really worry about is CVE-2015-1641, a zero-day memory-corruption vulnerability caused by improper handling of Rich Text Format (RTF) files.

If you're going to patch anything today, patch this, because nobody can afford to leave an unauthenticated remote code-execution flaw exposed to attackers for very long.
Ryan Krausevulnerability audit development manager, BeyondTrust Software Inc.

If successfully exploited, this vulnerability can lead to remote code execution, and the attacker being able to perform actions within the security context of the affected user profile.

Microsoft said it is aware of "limited attacks" that attempt to exploit this vulnerability, and that the vulnerability affects Office 2007, 2010, 2013, and Office 2011 for Mac.

Kandek believes that this should be a critical patch, even though Microsoft has not listed it as one.

"Microsoft rates it only 'important' because the exploit requires the user to open a malicious file," Kandek said "This is a very low security barrier at most organizations as it is part of the job for employees to open Word .docx files and they have come to trust the format."

Kandek also highlighted CVE-2015-1649 and 1651 in the Office bulletin, which are also remote code-execution vulnerabilities in Office 2007 and 2010. Kandek said they can be "triggered by just looking at an email in the Outlook preview pane."

MS15-032 is this month's set of Internet Explorer patches, which includes patches for versions spanning from IE 6 to IE 11 on multiple versions of Windows. Microsoft says that the most severe vulnerabilities can lead to remote code execution by getting the user to view a specially crafted Web page.

Krause said that in addition to the vulnerability patches in this release, Microsoft is also disabling SSL 3.0 support by default in IE 11.

"Given the recent attacks against SSL such as POODLE, this is an excellent first step toward phasing it out in favor of TLS 1.2 and above," Krause said. "Microsoft also indicated that they shored up IE's protection by including defense-in-depth measures in this month's patch."

The last critical bulletin is MS15-035, which targets a vulnerability in the Microsoft Graphics Component in Windows Vista, Windows 7, Windows Server 2003 and Windows Server 2008.

Microsoft says that this vulnerability could allow remote code execution if an attacker successfully convinces a user to browse to a specially crafted website, open a specially crafted file, or browse to a working directory that contains a specially crafted Enhanced Metafile (EMF) image file. However, Microsoft noted that an attacker would have no way to force a user to take these actions.

The rest of the bulletins are all labeled as "important." Three of the vulnerabilities could lead to elevation of privileges through flaws in Microsoft SharePoint Server, Microsoft Task Scheduler, and Windows; one details a vulnerability in XML Core Services that could result in security feature bypass; two vulnerabilities could cause an information disclosure due to flaws in Active Directory Federation Services (AD FS) and .NET Framework; and the last is for a vulnerability in Hyper-V that could lead to a denial of service.

Next Steps

Catch up on the March 2015 Patch Tuesday news here.

Dig Deeper on Microsoft Patch Tuesday and patch management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Which patch is most important for your organization?
I'm just a person, no longer working in a large networked office, and my IT skills have rusted to dust in the wake of all the new and too-quickly changing technology, so my questions may sound too easy for you, but for me they're daunting, and I've no one to ask (not even my son). Are the patches I keep hearing about part of all the Windows Updates I'm sent? Or are they something separate? I sent a lengthy explanation of my present nightmare and some questions about 5 minutes ago after I perused your site, but I forgot to ask if patches like the HTTP.sys patch you mention here (brand new, probably waiting for me to install) might help cure some of the problems I've been having?  I doubt it, which is why I didn't mention it with my questions, but I just don't know...I don't understand this stuff anymore!  What's an HTTP.sys? (a file related to running the internet?), and what's wrong that it needs fixing?  I can't be having my identity stolen and used by hackers every 3-4 months as has been happening for almost 2 years now, but I've got so many other urgent matters in my life to deal with, trying to protect myself from being hacked and having my info and data stolen and streamed away, and having files corrupted and settings changed by some ghost hacker, my bank's become so fatiguing I am not able to defend myself against this person (I say "person" because I know who's doing it, but the copy won't take a report and the FBI hung up on me because I'm small potatoes, although the witch is not only invading my life like a ton of locusts, but the lives of dozens of others as well).  And I'm SO mentally exhausted after days of researching and trying to figure out how she did her latest voodoo so I can stop her from stealing my money and a lot more, I'm now getting to where I can't do all the other things that are demanded of me in my life.  I'm falling behind, I'm overwhelmed, I'm dizzy with confusion and frustrated there's no help here on this lonesome island...I can't go on like this!  I'm looking forward to your emails and updates (just hope I have time to read them all), and I'm praying you can help me with my immediate woes, because I have a list of "High priority to-do's" that just keeps growing because I have to spend all day every day until I'm too tired to think trying to protect myself from this 67-year old binary Blackbeard.  It's good to know there are so many young people out there who are really on top of these things; maybe if Microsoft would make a product that just worked right before they sold it it would help.  Frankly, I liked XP and wanted to stop and stay with it...and would have, but for new stuff making my stuff stop working (which is really not cool when you think about it).  Anyway, thanks for hearing me and hope you can help.  Aloha.