Microsoft closes critical vulnerability in http.sys

Microsoft released patches for Windows 7, 8, 8.1, Server 2008 R2, Server 2012, and Server 2012 R2 during Patch Tuesday that address a critical security hole in the http.sys module. The vulnerability would allow remote code execution. Office also contains a critical vulnerability.

In Security Bulletin MS15-034, Microsoft describes the now patched vulnerability in http.sys. According to the software giant, attackers can remotely execute code on a vulnerable Windows system with a manipulated http request. Microsoft calls the security hole “critical,” the highest rating such vulnerabilities can receive. System administrators and users of the Windows versions mentioned are therefore strongly advised to install the patch.

The patch, which changes the way http.sys handles requests, is part of patch tuesday, the monthly release round of bug fixes and patches for various Windows versions. It is unclear why Microsoft did not release the patch for http.sys earlier, but the software giant does indicate that so far there are no known cases where the vulnerability has actually been exploited by malicious parties.

A security researcher from Tripwire tells TechTarget that the vulnerability is believed to be part of kernel caching support for IIS, Microsoft’s web server. He also expresses the fear that the aforementioned vulnerability will be abused by attackers in the short term.

In addition to the security vulnerabilities in http.sys, Microsoft has released patches for several Office versions, of which MS15-033 has also been labeled ‘critical’. Also in this case remote code execution is possible if the user opens a manipulated Office file.