Sysadmins, patch now: HTTP 'pings of death' are spewing across web to kill Windows servers

Found on The Register on Thursday, 16 April 2015

The security bug (CVE-2015-1635) allows attackers to knock web servers offline by sending a simple HTTP request. Microsoft fixed this denial-of-service vulnerability yesterday in a patch numbered MS15-034.

The problem stems from HTTP.sys not safely handling the Range header in a HTTP request; this mechanism is used to fetch part of a file from a server, which is sometimes handy for resuming downloads. If you set the range way too large, it causes the Windows kernel to crash.

A simple HTTP requests which causes a BSOD is a pretty serious problem.

Browse all articles« Previous « » Next »