Yesterday was Patch Tuesday – Microsoft’s monthly rendezvous with all administrators wanting to keep their Microsoft products up to date with all security patches.

This was no ordinary Patch Tuesday for web administrators. MS15-034 contains a CRITICAL security update for Microsoft IIS which addresses a remote code execution vulnerability, CVE-2015-034, which in simple terms, allows an attacker to run commands on your IIS server as the SYSTEM account.

The vulnerability affects the HTTP protocol stack (HTTP.sys), which is not correctly parsing specially crafted HTTP requests, and could allow an attacker to execute arbitrary code in the user context of the SYSTEM account. The vulnerability affects Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1 and Windows Server 2012 R2.

It is important that affected IIS installations are patched as soon as possible. Acunetix can already detect vulnerable systems. If you are using Acunetix WVS, you will need to install the update from Help > Check for Updates. Acunetix OVS has been updated to detect the vulnerability.

iis-bug

SHARE THIS POST
THE AUTHOR
Nicholas Sciberras
Principal Program Manager
As the Principal Program Manager, Nicholas is passionate about IT security and technology at large. Prior to joining Acunetix in 2012, Nicholas spent 12 years at GFI Software, where he managed the email security and anti-spam product lines, led multiple customer service teams, and provided technical training.