Critical Windows vulnerability affects at least 70 million websites

The race is on to patch nearly a million Windows web servers, following the publication of code that can identify the presence of a serious vulnerability announced by Microsoft on Tuesday.

The critical vulnerability lies within Microsoft's HTTP protocol stack, known as HTTP.sys. The maximum security impact, according to Microsoft Security Bulletin MS15-034, is remote code execution — by sending a specially crafted HTTP request to a vulnerable server, a remote attacker can execute arbitrary code on that server.

An ongoing scan for this vulnerability suggests that the test performed by the published code is inconclusive, as it might erroneously give the all-clear to a server that returns non-static content, even if it is in fact vulnerable.

However, Netcraft's latest Web Server Survey shows more than 70 million websites could be vulnerable, including Microsoft IIS servers that sit behind non-Windows load balancers. The total number of servers involved in hosting these sites stands at around 900,000, which is more than a sixth of all web-facing computers in the world.

The affected versions of Windows includes Windows Server 2008 R2, 2012 and 2012 R2. Windows 7, 8 and 8.1 are also vulnerable, but are not commonly used to host websites. Microsoft's security bulletin does not include Windows Server 2003 in the list of affected versions, so the 130 million sites that run IIS 6.0 on this older operating system would appear to be safe (at least from this particular issue).

Given the swift publication of code that could potentially be developed into a practical exploit, it is essential that all Windows server administrators apply the necessary security updates as a matter of urgency.

Microsoft has already released a security update for this vulnerability, so don't delay, apply today!