“The problem is that this will easily crash systems,” says Johannes Ullrich, CTO of the SANS Internet Storm Center. “It is not a denial of service, and not easily a data leakage issue like Heartbleed. But even crashing millions of IIS servers could cause significant impact, as many large sites use IIS.”
Microsoft has patched the MS15-034 flaw this week by disabling IIS kernel caching, but experts warn that this solution would cause performance decrease.
To better understand the real impact of the flaw let consider more than 70 million websites are potentially vulnerable according a survey conducted by the Netcraft firm.
“Netcraft’s latest Web Server Survey shows more than 70 million websites could be vulnerable, including Microsoft IIS servers that sit behind non-Windows load balancers. The total number of servers involved in hosting these sites stands at around 900,000, which is more than a sixth of all web-facing computers in the world.” wrote Netcraft in a blog post.
Security experts at Sans and at Qualys warned that the attack observed were conducted using an exploit code that could be easy to find in the criminal ecosystem.
“These are real attackers, as they use the version of the exploit that will crash systems,” Ullrich says. “The exploit used by researchers did not crash systems. There is currently remote code execution exploit in sight.”
“We rated it the top bulletin this month,” says Qualys CTO Wolfgang Kandek, “because the code is known to attackers already and it does not look to be very difficult [to exploit]. With Microsoft publishing the bulletin, the current owners of the exploit will most likely sell it off to as many interested parties as possible to get maximum benefit from its now limited lifespan. I continue to rank it as: ‘Fix as quickly as possible.'”
The experts urge to update the systems in order to patch the MS15-034 flaw.
(Security Affairs – MS15-034, Microsoft)