Microsoft has patched a critical vulnerability in the Windows HTTP protocol stack, known as HTTP.sys, which could have devastating consequences once it’s inevitably publicly exploited.
The bulletin, MS15-034, is one of four critical bulletins issued today by Microsoft. Experts warn that exploiting the vulnerability is trivial and could lead to remote code execution and privilege escalation on a compromised machine.
Microsoft said a temporary workaround would be to disable IIS kernel caching, but cautioned that this action could cause performance issue.
Windows admins should also rush a critical bulletin that addresses a publicly disclosed vulnerability in Office.
MS15-033 patches three vulnerabilities that are rated critical for older versions of Office components such as Word 2007 and Office 2010, but rated important for Office 2013, SharePoint Server 2013 and Office Web Apps Server 2013.
Microsoft today also patched Internet Explorer. The latest cumulative update for the browser includes a number of fixes for vulnerabilities that were privately disclosed during the Pwn2Own contest last month.
There were seven other bulletins released today, all rated important:
- MS15-036 patches an elevation of privilege vulnerabilities in SharePoint Server
- MS15-037 addresses an elevation of privilege vulnerability in Windows Task Scheduler
- MS15-038 fixes elevation of privilege vulnerabilities in Windows NTCreate Transaction Manager and MS-DOS
- MS15-039 patches a security feature bypass vulnerability in XML Core Services
- MS15-040 patches an information disclosure bug in Active Directory Federation Services
- MS15-041 patches an information disclosure vulnerability in .NET Framework
- MS15-042 patches a denial of service flaw in Windows Hyper-V
