New IIS security flaw

    April 14, 2015, Microsoft announced a critical vulnerability for IIS in the MS15-034 bulletin. The latter is referenced under code CVE-2015-1635.

    That allows?

    The flaw would allow an attacker to run arbitrary code in the context of the system account. It would also allow a denial of service attack.

    Since when does it exist?

    All versions of windows since Windows7 and windows 2008R2 from the time when IIS is installed.

    Windows 7

  • Windows 7 for 32-bit systems Service Pack 1
  • Windows 7 x 64 Service Pack 1 systems

  • Windows Server 2008 R2
  • Windows Server 2008 R2 for x 64 Service Pack 1
  • Windows Server 2008 R2 for Itanium-based Service Pack 1 systems
  • systems
    Windows 8 and Windows 8.1
  • Windows 8 for 32-bit systems
  • Windows 8 for x 64 systems
  • Windows 8.1 for
  • Windows 8.1 x 64 systems for
  • 32-bit systems
    Windows Server 2012 and Windows Server 2012 R2
  • Windows Server 2012
  • Windows Server 2012 R2

  • Server Core installation option
  • Windows Server 2008 R2 for x 64 Service Pack 1 (Server Core installation) systems
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012 R2 (Server Core installation)

  • How to fix the?

    Update your Windows. The patch was deployed and should be available in the list of updates available via Windows update. More information about the patch here: KB 3042553. A reboot will be required to complete the installation of this update. We recommend that all your backups before starting the operation.
    A workaround solution exists, but it may result in performance issues. It comes to disable the caching of the kernel. (See enable caching of kernel on IIS 7)

    We remind you that it is recommended to regularly update your applications and services, in order to ensure their stability and security.

    If you have a managed or shared benefit, be aware that our teams are already necessary to apply the patch to all of our infrastructure.

Add new comment