Microsoft provides details of the critical Windows HTTP vulnerability

Microsoft is warning of a critical vulnerability, classified as wormable, affecting the latest desktop and server Windows versions, including Windows 11 and Windows Server 2022. A patch is available. It should be updated as soon as possible. That reports Bleeping Computer.

With Patch Day January, Microsoft has fixed an HTTP security vulnerability for Windows that can be exploited by attackers and has the ability to spread like a worm. The error is labeled under CVE-2022-21907. The vulnerability was classified as critical and affects the HTTP protocol stack (HTTP.sys) used as the protocol stack for processing HTTP requests by the Windows Internet Information Services (IIS) web server. To successfully exploit the vulnerability, threat actors must send malicious packets to targeted Windows servers that use the vulnerable HTTP protocol stack to process packets.

No proof of concept

Microsoft therefore recommends that this vulnerability be patched on all affected servers as a priority, as it could allow unauthenticated attackers to remotely execute arbitrary code without requiring user interaction in low-complexity attacks “in most situations”. In concrete terms, this means that the vulnerability can easily be exploited, even if it has not yet been discovered during active attacks, i.e. it has not been exploited.

Feature not enabled by default

Also, some versions of Windows such as Windows Server 2019 and Windows 10 Version 1809 do not have the HTTP trailer support that contains the bug enabled by default. Only instances that have decided to activate are vulnerable.

Yasir Zeb

Manager at Research Snipers, RS-NEWS, Digital marketing enthusiast and industry professional in Digital technologies, Technology News, Mobile phones, software, gadgets with vast experience in the tech industry, I have a keen interest in technology, News breaking.

Leave a Reply

Your email address will not be published. Required fields are marked *