Vulnerability in Windows HTTP.sys Could Allow Remote Code Execution (CVE-2015-1635 / MS15-034)


A Remote Code Execution vulnerability exists in the HTTP protocol stack (HTTP.sys). This is caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who successfully exploited this vulnerability could execute arbitrary code in the context of the System account.

The vulnerability could allow remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system. The security update addresses the vulnerability by modifying how the Windows HTTP stack handles requests.

Is your server vulnerable?

The bulletin addresses the vulnerability in the HTTP stack on Windows server versions: Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2.

If update MS15-034 is not installed then your system is vulnerable.  There may be other methods to check an http server remotely but at the time of this writing only one was available as a python script at

How to fix

Warning: In order to avoid any risk of data loss or server unavailability, please take the necessary measures to backup your data before applying any patches on your production servers.

To permanently resolve this issue you must apply the latest patch called MS15-034.  This patch is available through Windows Update.  You may also obtain the specific filenames required for your version of windows to apply the patch manually via

workaround, prior to patching, can be used to temporarily resolve this issue but will affect system performance.  To workaround this issue one can disable the IIS kernel cache since it is enabled by default.  The following article describes how to enable it but for this workaround you would disable it:

External references:


Article is closed for comments.
Powered by Zendesk