Just two days after Microsoft released a fix for it as part of Patch Tuesday, the HTTP.sys vulnerability is already...
being actively exploited in the wild.
On Thursday the Internet Storm Center, a unit of the Bethesda, Md.-based SANS Technology Institute, authored a blog post detailing reported denial-of-service (DoS) attacks on this vulnerability.
The vulnerability affects the HTTP.sys component of Internet Information Services (IIS) in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1 and Windows Server 2012 R2. It can be exploited by sending specially crafted HTTP requests to an affected system.
Microsoft has rated the flaw as critical and said there is potential for remote code execution, but Johannes Ullrich, dean of research at the SANS Institute, said the exploits do not include remote code execution, but the DoS attack can lead to a limited information disclosure.
"The information disclosure will work only once, as far as I can tell so far," Ullrich said, "because it also reboots the server."
Ullrich also noted that while Microsoft did rate this flaw as having the potential for remote code execution, he doesn't expect that type of exploit to be seen in the wild any time soon.
"The way it looks to me is that you first need the information disclosure to then write the remote execution exploit," Ullrich said. "But, since getting the information disclosure will reboot the system, the information you get is rather ephemeral, so I'm not sure how that will work."
The SANS ISC post describes how to use test scripts to check if servers are vulnerable, and mitigation methods, including blocking attacks via IPS or firewall, or disabling kernel caching in IIS 7, but Ullrich said that would also cause a big performance drop on the server.
"For a small website or internal website, maybe that wouldn't be a problem," said Ullrich, "but for a larger website, that in itself may turn into a denial-of-service because now your site is too slow and can no longer fulfill requests."
The best mitigation method would be to install the patch released by Microsoft on Tuesday, which Ullrich said should be straightforward.
"It's like any Microsoft patch; it's pretty simple," Ullrich said. "You need to reboot the system after you're done to make it effective, but there isn't really anything special about the patch."