Microsoft HTTP.sys Critical Security Patch — engineers already at work

Critical security patches released by Microsoft must be applied immediately

Microsoft has released a bundle of emergency maintenance updates for a large swath of Windows Server. Microsoft releases its updates on the second Tuesday of the month, which is known as “Patch Tuesday” within the industry.
Frequently these updates are released without any issue or fanfare. However, this week saw a larger-than-normal release of updates by Microsoft.
Within these patches is a major vulnerability that Microsoft’s own Security Team classifies as “Critical” in their Security Bulletin MS15-034 release, which accompanies a breakdown of the patches and security updates.
The vulnerabilities Microsoft has uncovered cannot be overstated; if left unaddressed, they could be exploited to launch targeted attacks on nearly any Windows-based system.
There is no impact to customers on our Linux platforms. This is a Microsoft Windows issue only.
Out of 11 updates released in this large release by Microsoft, seven of them are rated as important, and four are classified as “Critical” by Microsoft.
According to Microsoft Security Bulletin MS15-034, “the vulnerability could allow remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system.”
Writing for security website Netcraft, Paul Mutton says that “the critical vulnerability lies within Microsoft’s HTTP protocol stack, known as HTTP.sys.”
Mutton emphasizes the importance of infrastructure and hosting companies performing these updates as soon as possible:
“Given the swift publication of code that could potentially be developed into a practical exploit, it is essential that all Windows server administrators apply the necessary security updates as a matter of urgency.”

What our team is doing for you

Due to the severity of this issue, and the security impact this could potentially have on our customers, we will begin updating our servers immediately with the emergency maintenance patches released by Microsoft.
Nearly every version of Windows on a modern machine is affected and needs to be updated immediately.
The Security Team has conducted a thorough threat assessment and determined that this issue is critical and in need of being immediately addressed with special attention. While our Windows updates are normally scheduled for next week, we are going to start them immediately and verify each server has received the required security update.
We will be updating every single server within our infrastructure in order to protect you, your website, your server, your data, your customers, and your business. We realize that this may be inconvenient to our customers; and we want to emphasize that this is not a decision we have made without considering all of the variables.
Typically, Windows updates take approximately 30 minutes to complete and reboot a server. However, due to the large number of security updates Microsoft has released, our testing shows that these updates are closer to 60-90 minutes to update and implement; and in some rare cases it may take longer.

What happens next?

Much like the major SChannel Security issue that affected Microsoft systems last November, this is an all-hands-on-deck matter to professionals within the hosting and Microsoft spheres of industry. Our team will be working around-the-clock to update infrastructure to ensure that our customers are protected from this threat.
Unfortunately, we are unable to give you a specific time as to when your server will be patched for this important security maintenance. The Team will be performing updates across our infrastructure in all of our global datacenters.
Note that some version of these security patches exist at both the server and the regular level of Windows. If you have home PCs, or your company has Windows desktops or laptops, you should also run Windows Update on them immediately.
We will take care of your server, but we also highly recommend you apply these updates across your home and office networks to close the potential for malicious activity. Simply click on your Windows desktop and run “Windows Update.” Apply all of the updates Microsoft has selected as “Important Updates” by default.
We apologize for any inconvenience this may have upon your business, but know that this is not a decision we have made lightly. Performing an unscheduled maintenance to address this Microsoft vulnerability is the only way to ensure the safety of your website, your business, your customers, and your data.
As always, our team will continue to monitor this important issue and keep you informed.
Works Cited / For Further Reading:
Microsoft Security Bulletin MS15-034. (Microsoft)
List of affected software in HTTP.sys vulnerability. (Microsoft)
Vulnerability in HTTP.sys could allow remote code execution. (Microsoft)
Critical Windows vulnerability affects at least 70 million websites. (Netcraft)
Microsoft releases 11 critical updates and fixes critical HTTP flaw. (