Security experts today called for Windows users to immediately patch one of the 26 vulnerabilities Microsoft disclosed two days ago.
SANS' Internet Storm Center (ISC) raised its threat level to Yellow as a signal of the seriousness of the bug, which is now being actively used in "Internet wide" scans to crash Windows systems. Among the more recent incidents that triggered a Yellow alert from the ISC was last year's Heartbleed vulnerability
"We are seeing active exploits hitting our honeypots," SANS said in a warning on its website.
Microsoft released a patch for the now-exploited vulnerability on Tuesday as part of its monthly security slate. The update, designated MS15-034, was rated "critical," Microsoft's most serious threat level.
Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2 are affected by the flaw, Microsoft said.
Since Tuesday, when Microsoft issued MS15-034 -- along with 10 other bulletins, three of which were also rated critical -- proof-of-concept (PoC) code has begun circulating on the Web, and as SANS said, is being used to crash vulnerable machines.
The patch-now urgency being pressed by security analysts and researchers stemmed not only from the known targets -- Windows systems, largely servers, running IIS (Internet Information Systems), Microsoft's Web server software -- but also because there is much unknown about the extent of the threat to the wider Windows ecosystem.
"It does affect all Windows systems that have software which accepts HTTP requests on Windows," said Johannes Ullrich, who heads the ISC. "[But] the library that is affected, HTTP.sys, is used by software other then IIS."
That's the problem, echoed Chet Wisniewski, a security researcher with Sophos. "There are so many things that could impact this," said Wisniewski. "Lync, for example, uses HTTP as a transport. I suspect that the patch-now calls are because we really can't define all the possible threats, since we can't say what may be on your machine."
In other words, although IIS servers are most at risk -- and are currently being targeted by the rudimentary attack code -- many other Windows systems may be as well.
Wisniewski cautioned against overreacting, however. "I think this would be minimized on a client," he said, referring to end user machines running Windows 7, 8 or 8.1. IIS is not enabled by default on those devices. "Clients are unlikely to have [an HTTP] listener activated."
Another security professional criticized Microsoft for leaving customers in the dark. "If only Microsoft still had a few SRD employees, there would be a useful blog post from them to definitively answer all this," said Andrew Storms, vice president of security services at New Context, a San Francisco-based security consultancy. SRD (Security Research & Defense) was a Microsoft blog, staffed by Microsoft security engineers, that provided detailed information about select security updates.
Microsoft has pared back its engineering teams -- they were affected by the 2014 layoffs -- and has discontinued some long-time security practices, including the advance warnings of upcoming Patch Tuesday slates and a monthly post-patch webcast.
Another unknown is whether someone will expand on the existing PoC and come up with code that can, as Microsoft believes possible, conduct a remote exploit that would rely simply on sending a malformed HTTP request.
Ullrich thought that unlikely. "The chance for a RCE [remote code executable exploit] is low," Ullrich said. "There is a chance of an information leakage issue if the server offers files. This information leakage has not been demonstrated yet, but the Chinese summary published yesterday offers some pointers. It would leak kernel memory that may then be used for RCE."
Meanwhile, Wisniewski thought different: "I suspect remote code might become visible quite soon. That's why the fear of this is why amped up. We're scared that the code out is there and we can't pinpoint who is at risk."