SANS 2015 LIVE: Will MS15-034 see the return of the Internet Worm?

Ian Trump

Being on the ground at SANS 2015 in Orlando, FL, is like being at ground zero in the middle of a cyber Earthquake. Between the excellent instruction during the day and focused presentations at night, it’s hard not to let the paranoia get the best of you. Twelve hours of non-stop cyber security over five days can get to the best of us.

I’m not inclined to go all “cyber-bombshelter” on the latest Microsoft security patch MS15-034, but this one is a bit special. Maybe they saved it up just for Dr. Johannes Ullrich to have something to talk about. Last year was Heartbleed, so you know it’s going to be special when Dr Ullrich hits the stage. In a homage to major bugs of the past he jokingly coined this bug “DeRanged”.

  1. It’s really easy to exploit and results in blue screen, hang or reboot of a server with Microsoft’s Internet Information Server (IIS).
  2. It can produce content from the Microsoft IIIS Server’s Cache, so it may leak information.
  3. According to Microsoft, the vulnerability could be used to run arbitrary code on a vulnerable host.

The vulnerability is in HTTP.sys, the library for processing HTTP requests in Windows, this library is found on all Windows systems. Among other programs, IIS uses HTTP.sys, and is directly exposed to the exploit. As of Wednesday 15 Apr 2015, trivial to execute exploits have been made public that will cause an IIS server to crash. So for now this is disruptive attack. It could inflict some financial damage if your business uses IIS as an E-commerce platform. According to Dr. Ulrich about 30% of the web-servers on the Internet are running IIS.

Is this the start of a return of an Internet Worm like Code Red or Nimda?

Even Dr. Ullrich admits that weaponizing and utilizing this bug for remote code exploit seems challenging, but the potential to make incremental improvements now exists. Although a patch has been issued (an excellent business case for why patching and updating OS and Applications is critical), we are in the early stages of seeing how far this bug can be exploited. For now, with a patch in place we are safe.

From my threat Intel perspective I see a little bit more in today’s bug revelations. I don’t disagree with the Dr’s conclusions on this, but from the sophisticated attacks and plethora of cybercrime zero days it’s only a matter of time till the Microsoft patch is reverse engineered and possibly used to “break” the IIS server in such a manner to trigger a remote code vulnerability. This is the home run for cyber criminals, break it, run your code on it and establish a foothold in a business network.

Microsoft Exchange servers are particularly vulnerable because most of them have IIS tied to Microsoft Exchange services to support Outlook Web Access. It’s disturbing to think that if this bug surfaced in August, after support ends for Windows Server 2003, patches would not be available. There are two take a ways on this. Windows 2003 needs to be retired before something worse than Denial of Service shows up post 14 July 2015 and Patching and Updating is mission critical.

Keep patching!

Worried about the end of Windows Server 2003? Click here to Download our free white paper and make sure you've got it covered.