Vulnerability in Windows HTTP library enables denial of service
16.04.2015 klo 16:38 - Updated 24.04.2015 klo 14:43
Utilisation methods published on the internet enable a denial of service in Windows operating systems using the HTTP.sys library. According to the NCSC-FI's knowledge, the denial of service has been confirmed in practice, although several researchers have reported that the vulnerability cannot be exploited.
In addition to IIS server software, the HTTP.sys library is used, at least, in Windows DLNA file sharing services, often used by consumers, and in some remote user interfaces. The exploitation of the vulnerability requires that the service is accessible from the internet.
According to Microsoft's bulletin, the vulnerability also enables the execution of arbitrary commands. For the time being, there are no detections of ready-made methods for utilising the vulnerability on the internet.
For the time being, the NCSC-FI has not detected attempts to utilise the vulnerability.
The NCSC-FI recommends that Windows operating systems connected to a network are updated immediately, before the exploitation of the vulnerability becomes more common.
Target group of the alert
The vulnerable library can be found in the operating systems Windows Server 2008, Windows Server 2012, Windows 7 and Windows 8.x.
The vulnerability requires that the operating system has a service that is open towards the internet and that utilises the HTTP.sys library, such as an IIS server software or a DLNA file sharing service.
Possible solutions and restrictive measures
Install Microsoft's update package for April (MS15-APR)
If it is not possible to install the updates immediately, Microsoft's bulletin also mentions that the problem can be possibly restricted by disabling IIS kernel caching. However, this is not helpful e.g. in a DLNA service.
- Microsoft Security Bulletin Summary for April 2015
- Microsoft Security Bulletin MS15-034 - Critical
- Vulnerability 033/2015 (in Finnish)
- Public exploitation methods available for Windows servers' HTTP.sys vulnerability (Information security now! 16 April 2015, in Finnish).