(CVE-2015-1635)
Last Updated: April 20, 2015
HTTP protocol stack (HTTP.sys) of Microsoft Windows contains an integer overflow vulnerability that may allow an attacker to remotely execute arbitrary code via crafted HTTP requests. This vulnerability has been assigned CVE-2015-1635, and is referred to as "HTTP.sys Remote Code Execution Vulnerability".
April 14, 2015
Security update for HTTP.sys (CVE-2015-1635, MS15-034) has been released by Microsoft.
April 15, 2015
Vulnerability proof-of-concept code for CVE-2015-1635 released to the public.
Also, Denial of Service (DoS) exploits are widely available to exploit CVE-2015-1635, affecting Microsoft IIS.
Base Metrics: 10.0
Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete
Temporal Metrics 8.3 (April 20, 2015)
Exploitablity: Functional exploit exists
Remediation Level: Official fix
Report Confidence: Confirmed
+ cpe:/o:microsoft:windows_7
+ cpe:/o:microsoft:windows_server_2008:r2
+ cpe:/o:microsoft:windows_8
+ cpe:/o:microsoft:windows_8.1
+ cpe:/o:microsoft:windows_server_2012
+ cpe:/o:microsoft:windows_server_2012:r2
This vulnerability allows remote attacker to cause a denial of service (BSOD: Blue Screen of Death) or execute arbitrary code via crafted HTTP requests.
The issue is currently under investigation.
Masato Terada (HIRT) and Naoko Ohnishi (HIRT)