Security researchers have discovered that attackers are exploiting a flaw in Windows IIS web servers to crash websites. The security bug (CVE-2015-1635) allows attackers to knock web servers offline by sending a simple HTTP request. Attackers are exploiting the flaw by sending out pings of death. The following systems running Microsoft's IIS web server are affected:
· Windows 7
· Windows Server 2008 R2
· Windows 8, Windows Server 2012
· Windows 8.1
· Windows Server 2012 R2
The vulnerability resides in the component HTTP.sys, a kernel-level driver that forwards requests for webpages and the like to the user-space server software and caches static files. The vulnerability is caused due to HTTP.sys improper handling of the Range header in a HTTP request. This mechanism is used to fetch part of a file from a server, which is sometimes convenient for resuming downloads. Microsoft has warned the security bug can be used to execute code remotely on the server, but so far, no one seems to have been able to do that. Microsoft fixed this denial-of-service vulnerability on Tuesday with a patch numbered MS15-034.
More details are available on:
The information provided herein is on "as is" basis, without warranty of any kind.
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street