HTTP.sys remote code execution vulnerability
Description
A critical remote code execution vulnerability exists in the Windows HTTP Protocol Stack (HTTP.sys) due to improper parsing of specially crafted HTTP requests. HTTP.sys is a kernel-mode driver responsible for handling HTTP requests in Windows, making this vulnerability particularly severe as it operates at the system level.
This vulnerability affects all supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. Successful exploitation allows attackers to execute arbitrary code with SYSTEM-level privileges without requiring authentication or user interaction.
Remediation
Apply Microsoft Security Bulletin MS15-034 immediately to all affected systems. Follow these steps to remediate:
1. Download and install the appropriate security update from Microsoft Update Catalog or Windows Update for your specific Windows version and architecture (x86/x64)
2. Restart the affected systems to complete the update installation
3. Verify the update was successfully applied by checking the installed update list in Windows Update history
4. As a temporary mitigation if patching cannot be performed immediately, consider disabling the HTTP.sys driver if the system does not require IIS or HTTP-based services, though this is not recommended for production web servers
5. Monitor systems for suspicious HTTP traffic patterns and unauthorized access attempts
No configuration changes or code modifications are required after applying the security update. The patch corrects how HTTP.sys parses HTTP requests, eliminating the vulnerability.