Tuesday, 21 April 2015

MS15-034 - Patch now to resolve critical HTTP vulnerability

This month's Patch Tuesday posting included eleven updates with four rated as critical and the remaining seven as important by Microsoft. Each month, I am now posting my views on Microsoft's Patch Tuesday on the on-line ComputerWorld blog found here. The latest update titled, "Microsoft releases 11 critical updates and fixes critical HTTP flaw" provides a brief overview of each update and some recommended actions.

This month, the Microsoft update MS15-034 attempted to resolve a critical security vulnerability in Microsoft IIS web server. Though the updated only affected a single file, we are now seeing active exploits of this security vulnerability at Internet-wide scales.  The Internet Storm Centre has reported active attacks on their honey-pots, with the following comment on their related newsgroup page;

"Update: We are seeing active exploits hitting our honeypots from 78.186.123.180. We will be going to Infocon Yellow as these scans use the DoS version, not the "detection" version of the exploit. The scans appear to be "Internet wide"."

The ISC have also provided a quick test to see if you are vulnerable to this HTTP vulnerability that includes;


GET / HTTP/1.1
Host: MS15034
Range: bytes=0-18446744073709551615

If the server responds with "Requested Header Range Not Satisfiable", then you may be vulnerable.

I would recommend running this quick test, and then updating your servers as a priority with the Microsoft update MS15-034.

No comments: