The recent MS15-034 security update addresses a vulnerability on how the Windows HTTP stack (http.sys) handles requests.
Although you affected Operating System component is related to IIS, there are many applications that can rely on Windows HTTP stack. And Lync is one of them !
How serious is this vulnerability and why you should patch immediately?
- It can be used for DoS attacks, but there’s a chance to be used to run code remotly
- Any user can run an exploit of some type without any special permissions and good knowledge;
Can be just a simple copy > paste code (see PoC)
- Your Lync front-end servers can be exploited by an internet attacker, if the reverse proxy role (and/or the firewall) cannot detect and intercept the exploit attempts.
What Lync ‘roles’ are affected?:
- Front-End – There’s a lot of applications/pools that can be exploited
- Edge server – not affected from the outside. But the internal DMZ replica service (typically 4443) can be exploited
- Persistent chat – not affected
- (SQL) Monitoring reports – affected
- Office Web Apps – affected
To show you how easy the exploit can be built and run, here’s a simple Proof of concept. I just needed 10 minutes to find a possible http request and run cURL on an internal PC without any admin rights:
The server running Lync will stop responding and (if you are fast enough) you will see the operation system generating a dump report, before restarting.
An exploited server will also display a MER message when you logon to it:
You might want to look carefully for Lync and other collocated applications that can also allow an exploit. This command can be used to determine what is relying on http:
netsh http show servicestate | find “://”
So it’s better to start patching all windows operating system on you network… fast