Naked Security Naked Security

Update Tuesday, April 2015 – Urgent action needed over Microsoft HTTP bug

We don't usually focus on one vulnerability and say, "Do that first." But this month, we're willing to make an exception. The Microsoft HTTP stack has a bug that could let attackers straight in with a simple HTTP request...

Regular readers of our Update Tuesday Wrap-ups, along with regular listeners to the Chet Chat podcast, will know that we don’t like zooming in too keenly on any one security bulletin.

Our reason is that if you become too focused on one vulnerability, you are likely to lose sight of (or to put off until another day) all the other monthly fixes.

So you might end up with a false sense of security because you’ve patched the big hole, but left all the other nearly-but-not-quite-so-big holes wide open.

Also, there’s the problem that exploits can often be abused in pairs, for example by combining a critical hole such as remote code execution with an escalation of privilege hole that sounds much less serious if you consider it on its own.

That sort of exploit combination can be deadly, because a crook can get in, albeit only with limited access rights, and then go up, finishing off his attack with SYSTEM privileges.

That is as good as taking over your computer entirely.

→ In the recent PWN2OWN competition in Vancouver, 11 attacks against the Big Four browsers plus Adobe’s plugins produced 10 succesful compromises. In 4 of those, the attackers ended up with SYSTEM powers. In a nice demonstration of comparative value, promoting yourself to SYSTEM meant an immediate bonus prize of $25,000.

Having said all that, this month’s we’re breaking with our own tradition.

Do this one first

We’ll start off short and straight: if you only apply one patch, or are keen to find one to lead off with, make it MS15-034.

That bug is described rather blandly by Microsoft as:

Vulnerability in HTTP.sys Could Allow Remote Code Execution.

But the big parts of the story are:

• 1 This isn’t an IIS bug, so it doesn’t apply only to IIS servers.

As far as we can see, the bug affects pretty much any Windows software that uses Microsoft’s HTTP stack to respond to HTTP requests, whether that software runs on desktops, laptops or servers.

All sorts of software could fall into that category: custom company messaging systems; data loggers; configuration agents; peer-to peer-tools; heck, even an existing malware infection!

• 2 The bug allows remote code execution.

• 3 The bug can be triggered with an innocent-looking HTTP request from outside your network.

That means that the bug could, in theory, be turned into a true network worm like the Morris Internet Worm or SQL Slammer.

Those worms spread without having to wait for users to do anything such as clicking a web link or opening an attachment.

• 4 The bug is in a kernel component, and a successful exploit gives the attacker SYSTEM privileges.

As explained above, that is as good as taking over your computer entirely.

• 5 Even Server Core is affected.

• 6 Proof of Concept (PoC) exploit code can already be found on the internet.

The proof of concept we’ve seen doesn’t actively attempt to exploit the bug and do anything deliberately malicious.

But reports say that a probe by the PoC does actually trigger a buffer overflow, which could be distracting and time-consuming when you review your logs.

(You do review your logs regularly. Don’t you?)

Special mitigation for IIS

If you have an IIS server, you can shield it from harm even before you apply the M15-034 update, using a workaround published by Microsoft:

Disable IIS kernel caching. This workaround is specific to IIS and can cause performance issues.

Note that kernel caching is enabled by default in IIS 7 and later.

What about the rest?

There are 10 other security updates from Microsoft this month, including the usual Cumulative Security Update for Internet Explorer; two of those fixes, including the IE update, close other remotely exploitable holes.

There’s also a new version of Flash from Adobe, fixing 22 CVE-numbered security bugs, including remote code execution holes.

So we think you should apply all those updates as well.

But if you are searching for one patch to lead off with, make it MS15-034.

If nothing else, you can expect a sea of probes over the next few days, as inquisitive “researchers” find the PoC and set it loose to see what happens.

In short: patch early, patch often; but in the case of MS15-034, patch NOW.

Click to get the latest vulnerability info...