Exploit Code Released for Critical Windows HTTP Flaw
One of the more serious vulnerabilities that Microsoft released fixes for last week–a remotely exploitable bug in the HTTP protocol stack that could be used to deploy a worm–has become even more serious with the publication of proof-of-concept exploit code.
The bug (CVE-2022-21907) can be found in a long list of Microsoft products, including Windows 10, Windows 11, Windows Server 2019, and Windows Server 2022, and presents a clear danger to organizations running vulnerable releases. The attack complexity is quite low, requires no user interaction, and can be exploited with one malicious packet from an unauthenticated user. When Microsoft released ots advisory on Jan. 11, the company warned that the flaw could potentially lead to a network worm.
“In most situations, an unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets. Microsoft recommends prioritizing the patching of affected servers,” the advisory says. To complicate matters, there is now publicly available exploit code for the vulnerability. The code is available on GitHub. Researchers said the vulnerability is quite similar to one disclosed last year, also in the HTTP protocol stack.