📄 Description (English)
Microsoft HTTP.sys Remote Code Execution Vulnerability — Microsoft HTTP protocol stack (HTTP.sys) contains a vulnerability that allows for remote code execution.
🤖 AI Executive Summary
CVE-2015-1635 is a critical remote code execution vulnerability in Microsoft's HTTP.sys kernel-mode driver, commonly known as 'MS15-034' or 'HttpSys RCE'. An unauthenticated remote attacker can send a specially crafted HTTP request with a malicious Range header to exploit this flaw, potentially achieving full system compromise or denial of service on any Windows server running IIS. With a CVSS score of 9.0 and a publicly available exploit, this vulnerability poses an immediate and severe threat to any unpatched Windows web server infrastructure. The ease of exploitation and the prevalence of IIS in enterprise environments make this a high-priority remediation target.
📄 Description (Arabic)
ثغرة في مكدس بروتوكول HTTP من Microsoft (HTTP.sys) تسمح للمهاجمين بتنفيذ أكواد برمجية بشكل بعيد على الأنظمة المتأثرة
🤖 ملخص تنفيذي (AI)
تحتوي مكدس بروتوكول HTTP من Microsoft (HTTP.sys) على ثغرة تسمح بتنفيذ الأكواد البعيدة
🤖 AI Intelligence Analysis Analyzed: Mar 29, 2026 00:18
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability critically impacts Saudi organizations running Windows Server with IIS across all major sectors. Banking and financial institutions regulated by SAMA are at high risk as IIS is widely deployed for internal portals, online banking platforms, and API gateways. Government entities under NCA oversight using Windows-based web infrastructure face potential full system compromise. Saudi Aramco and energy sector organizations with internet-facing IIS servers are exposed to targeted attacks that could pivot into OT/ICS networks. Telecom providers such as STC and Zain with large Windows server estates face significant denial-of-service and RCE risk. Healthcare organizations using Windows-based patient portals and administrative systems are also at risk. Given the age of this vulnerability, legacy and unpatched systems in Saudi government and semi-government entities remain a realistic concern.
🏢 Affected Saudi Sectors
Banking
Government
Energy
Telecom
Healthcare
Education
Retail
Transportation
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all Windows servers running HTTP.sys (IIS-enabled systems) using asset inventory tools or network scanning.
2. Apply Microsoft Security Bulletin MS15-034 patch immediately — KB3042553 for affected Windows versions (Windows 7, 8, 8.1, Server 2008 R2, Server 2012, Server 2012 R2).
3. Prioritize internet-facing IIS servers for immediate patching.
PATCHING GUIDANCE:
- Download and apply KB3042553 from Microsoft Update Catalog.
- Restart the HTTP.sys service or reboot the server after patching.
- Verify patch application using 'wmic qfe list | findstr 3042553'.
COMPENSATING CONTROLS (if patching is delayed):
- Deploy WAF rules to block malicious Range header requests (e.g., block requests with Range: bytes=0-18446744073709551615).
- Disable IIS or HTTP.sys on non-essential servers temporarily.
- Implement network-level filtering to restrict HTTP access to trusted IP ranges.
- Enable IIS request filtering to reject oversized or malformed Range headers.
DETECTION RULES:
- Monitor IIS logs for HTTP requests containing abnormally large or malformed Range headers.
- Create SIEM alerts for HTTP 416 (Range Not Satisfiable) responses in bulk.
- Deploy Snort/Suricata rule: alert tcp any any -> any 80 (content:'Range: bytes='; pcre:'/Range:\s*bytes=\d+-\d{15,}/i'; msg:'MS15-034 Exploit Attempt'; sid:9000001;).
- Monitor for unexpected kernel crashes (BSOD) on IIS servers as an indicator of exploitation attempts.
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع خوادم Windows التي تعمل بـ HTTP.sys (الأنظمة التي تم تمكين IIS عليها) باستخدام أدوات جرد الأصول أو فحص الشبكة.
2. تطبيق تصحيح Microsoft Security Bulletin MS15-034 فوراً — KB3042553 للإصدارات المتأثرة من Windows.
3. إعطاء الأولوية لخوادم IIS المكشوفة على الإنترنت للتصحيح الفوري.
إرشادات التصحيح:
- تنزيل وتطبيق KB3042553 من كتالوج Microsoft Update.
- إعادة تشغيل خدمة HTTP.sys أو إعادة تشغيل الخادم بعد التصحيح.
- التحقق من تطبيق التصحيح باستخدام الأمر: wmic qfe list | findstr 3042553.
ضوابط التعويض (في حالة تأخر التصحيح):
- نشر قواعد WAF لحظر طلبات Range header الضارة.
- تعطيل IIS أو HTTP.sys على الخوادم غير الضرورية مؤقتاً.
- تنفيذ تصفية على مستوى الشبكة لتقييد الوصول HTTP على نطاقات IP الموثوقة.
- تمكين تصفية طلبات IIS لرفض رؤوس Range المشوهة أو كبيرة الحجم.
قواعد الكشف:
- مراقبة سجلات IIS لطلبات HTTP التي تحتوي على رؤوس Range مشوهة أو كبيرة بشكل غير طبيعي.
- إنشاء تنبيهات SIEM لاستجابات HTTP 416 بشكل مجمّع.
- نشر قواعد Snort/Suricata للكشف عن محاولات الاستغلال.
- مراقبة أعطال النواة غير المتوقعة على خوادم IIS كمؤشر على محاولات الاستغلال.
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC-1-4-2: Patch and vulnerability management
ECC-1-3-1: Asset management and classification
ECC-2-3-1: Network security and perimeter protection
ECC-1-5-1: Cybersecurity incident management
ECC-2-2-1: Secure configuration management
🔵 SAMA CSF
Protect: Vulnerability and Patch Management
Protect: Network Security
Detect: Continuous Monitoring
Respond: Incident Response
Protect: Secure Configuration
🟡 ISO 27001:2022
A.12.6.1: Management of technical vulnerabilities
A.14.2.2: System change control procedures
A.13.1.1: Network controls
A.16.1.1: Responsibilities and procedures for incident management
A.12.4.1: Event logging and monitoring
🟣 PCI DSS v4.0
Requirement 6.3.3: All system components are protected from known vulnerabilities by installing applicable security patches
Requirement 6.2.4: Software engineering techniques to prevent or mitigate common software attacks
Requirement 11.3.1: Internal vulnerability scans
Requirement 12.10.1: Incident response plan
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
Microsoft:HTTP.sys