Friday, April 17, 2015

Critical Update for Windows Web Servers

Most of the security updates released by Microsoft fall in the category of apply them soon. This week Microsoft released an update that falls in the category of apply NOW!

There is a flaw in http.sys for Windows Server 2008 R2 and later that allows a malformed packet to crash your server and perhaps remotely execute code. Since the patch was released Tuesday, the details of the flaw are widely known and trivial to implement. This means that anyone that can access your web server can crash it at will.

Two common scenarios I work with that are cause for concern:
  • Exchange servers. Exchange servers use the Windows web server (IIS) to provide services. This means that your Exchange servers are vulnerable.
  • Small Business Server. Organizations with SBS typically provide both remote access and Exchange web services. Both done with IIS and vulnerable to this flaw.
Best practice is install the patch (which requires a restart) from here:
If you can't do that because of testing then you can disable kernel caching in IIS. That mitigates the flaw but also reduces performance. It's a reasonable workaround in the short term.

To disable kernel caching in IIS:
  1. Open IIS Manager.
  2. In IIS Manager, select the server node and double-click Output Caching.
  3. On the Output Caching page, in the Actions pane, click Edit Feature Settings.
  4. In the Edit Output Cache Settings window, shown below, uncheck the Enable kernel cache check box and click OK.
  5. Close IIS Manager.

If you have a reverse proxy server in front of your web server, it may protect you from this flaw. However, you would need to test to be sure. This article provides a command-line to Curl utility to send the malformed packet:
You can download Curl here:

No comments:

Post a Comment