Yesterday was Patch Tuesday – Microsoft’s monthly rendezvous with all administrators wanting to keep their Microsoft products up to date with all security patches.
This was no ordinary Patch Tuesday for web administrators. MS15-034 contains a CRITICAL security update for Microsoft IIS which addresses a remote code execution vulnerability, CVE-2015-034, which in simple terms, allows an attacker to run commands on your IIS server as the SYSTEM account.
The vulnerability affects the HTTP protocol stack (HTTP.sys), which is not correctly parsing specially crafted HTTP requests, and could allow an attacker to execute arbitrary code in the user context of the SYSTEM account. The vulnerability affects Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1 and Windows Server 2012 R2.
It is important that affected IIS installations are patched as soon as possible. Acunetix can already detect vulnerable systems. If you are using Acunetix WVS, you will need to install the update from Help > Check for Updates. Acunetix OVS has been updated to detect the vulnerability.