Patch it now! (MS HTTP bug)

1 This isn't an IIS bug, so it doesn't apply only to IIS servers.

As far as we can see, the bug affects pretty much any Windows software that uses Microsoft's HTTP stack to respond to HTTP requests, whether that software runs on desktops, laptops or servers.

All sorts of software could fall into that category: custom company messaging systems; data loggers; configuration agents; peer-to peer-tools; heck, even an existing malware infection!

2 The bug allows remote code execution.

3 The bug can be triggered with an innocent-looking HTTP request from outside your network.

That means that the bug could, in theory, be turned into a true network worm like the Morris Internet Worm or SQL Slammer.

Those worms spread without having to wait for users to do anything such as clicking a web link or opening an attachment.

4 The bug is in a kernel component, and a successful exploit gives the attacker SYSTEM privileges.

As explained above, that is as good as taking over your computer entirely.

5 Even Server Core is affected.

6 Proof of Concept (PoC) exploit code can already be found on the internet.

The proof of concept we've seen doesn't actively attempt to exploit the bug and do anything deliberately malicious.

But reports say that a probe by the PoC does actually trigger a buffer overflow, which could be distracting and time-consuming when you review your logs.

(You do review your logs regularly. Don't you?)

Special mitigation for IIS

If you have an IIS server, you can shield it from harm even before you apply the M15-034 update, using a workaround published by Microsoft:

Disable IIS kernel caching.

Note that kernel caching is enabled by default in IIS 7 and later.

Source: Sophos Security News

http://tinyurl.com/n4tv5xz