Description

A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who successfully exploited this vulnerability could execute arbitrary code in the context of the System account.

This security update is rated Critical for all supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

Remediation

Microsoft has provided a security update for this issue. It's recommended to apply this update as soon as possible.

References

Vulnerability in HTTP.sys Could Allow Remote Code Execution

Related Vulnerabilities

WordPress Plugin Social Photo Gallery Remote Code Execution (1.0)

WordPress Plugin is_human() 'type' Parameter Remote Command Injection (1.4.2)

PHP object deserialization of user-supplied data

Oracle Reports rwservlet vulnerabilities

Unauthenticated OGNL injection in Confluence Server and Data Center

Severity

High

Classification

CVE-2015-1635 CWE-119 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Tags

Code Execution