Denys Rudyi - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

April 2015 Patch Tuesday addresses critical HTTP.sys flaw

Microsoft's April 2015 Patch Tuesday release is lighter than usual with 11 total bulletins, but experts say that system admins should immediately install a critical HTTP.sys patch for Windows Server.

Microsoft's April 2015 Patch Tuesday release today addresses a zero-day flaw in Office, and patch management experts say system admins should also take special notice of the Windows Server patch.

The release, which Microsoft calls Update Tuesday but is still widely known as Patch Tuesday, included 11 total bulletins, four of which were labeled as "critical."

On top of the priority list according to multiple experts is MS15-034, a critical bulletin that only patches a single vulnerability (CVE-2015-1635), but has been hightlighted as one that system admins should patch immediately.

Microsoft said it is a vulnerability in HTTP.sys that could allow remote code execution through the use of a specially crafted HTTP request, and it affects Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

Ryan Krause, vulnerability audit development manager for Phoenix-based BeyondTrust Software Inc., said that this vulnerability takes top billing because it can "allow an unauthenticated attacker to remotely execute code in the context of the System account.

"Because this flaw exists in the HTTP.sys driver the code is executing at a higher privilege level, hence the System context," Krause said. "If you're going to patch anything today, patch this, because nobody can afford to leave an unauthenticated remote code-execution flaw exposed to attackers for very long."

Craig Young, security researcher for Tripwire Inc., based in Portland, Ore., agreed, adding that this vulnerability will likely be exploited in the wild very soon.

"At first glance it appears that this flaw is related to IIS kernel caching support as it pertains to processing crafted HTTP request headers and will likely see exploitation in the wild on a short timeframe," Young said. "For server admins, it will be top priority to make sure that the HTTP.sys patch is applied or kernel caching is disabled on all affected systems including IIS servers used in other Microsoft server products."

MS15-033 is a critical bulletin that includes five patches for Microsoft Office, and Wolfgang Kandek, chief technology officer for security vendor Qualys Inc., based in Redwood Shored, Calif., says the one to really worry about is CVE-2015-1641, a zero-day memory-corruption vulnerability caused by improper handling of Rich Text Format (RTF) files.

If you're going to patch anything today, patch this, because nobody can afford to leave an unauthenticated remote code-execution flaw exposed to attackers for very long.
Ryan Krausevulnerability audit development manager, BeyondTrust Software Inc.

If successfully exploited, this vulnerability can lead to remote code execution, and the attacker being able to perform actions within the security context of the affected user profile.

Microsoft said it is aware of "limited attacks" that attempt to exploit this vulnerability, and that the vulnerability affects Office 2007, 2010, 2013, and Office 2011 for Mac.

Kandek believes that this should be a critical patch, even though Microsoft has not listed it as one.

"Microsoft rates it only 'important' because the exploit requires the user to open a malicious file," Kandek said "This is a very low security barrier at most organizations as it is part of the job for employees to open Word .docx files and they have come to trust the format."

Kandek also highlighted CVE-2015-1649 and 1651 in the Office bulletin, which are also remote code-execution vulnerabilities in Office 2007 and 2010. Kandek said they can be "triggered by just looking at an email in the Outlook preview pane."

MS15-032 is this month's set of Internet Explorer patches, which includes patches for versions spanning from IE 6 to IE 11 on multiple versions of Windows. Microsoft says that the most severe vulnerabilities can lead to remote code execution by getting the user to view a specially crafted Web page.

Krause said that in addition to the vulnerability patches in this release, Microsoft is also disabling SSL 3.0 support by default in IE 11.

"Given the recent attacks against SSL such as POODLE, this is an excellent first step toward phasing it out in favor of TLS 1.2 and above," Krause said. "Microsoft also indicated that they shored up IE's protection by including defense-in-depth measures in this month's patch."

The last critical bulletin is MS15-035, which targets a vulnerability in the Microsoft Graphics Component in Windows Vista, Windows 7, Windows Server 2003 and Windows Server 2008.

Microsoft says that this vulnerability could allow remote code execution if an attacker successfully convinces a user to browse to a specially crafted website, open a specially crafted file, or browse to a working directory that contains a specially crafted Enhanced Metafile (EMF) image file. However, Microsoft noted that an attacker would have no way to force a user to take these actions.

The rest of the bulletins are all labeled as "important." Three of the vulnerabilities could lead to elevation of privileges through flaws in Microsoft SharePoint Server, Microsoft Task Scheduler, and Windows; one details a vulnerability in XML Core Services that could result in security feature bypass; two vulnerabilities could cause an information disclosure due to flaws in Active Directory Federation Services (AD FS) and .NET Framework; and the last is for a vulnerability in Hyper-V that could lead to a denial of service.

Next Steps

Catch up on the March 2015 Patch Tuesday news here.

Dig Deeper on Microsoft Patch Tuesday and patch management