Microsoft has updated a Windows HTTP critical flaw identified as wormable and discovered to impact the latest desktop and server Windows versions. The update also includes the Windows Server 2022 and Windows 11 versions.
The vulnerability, tracked by researchers as CVE-2022-21907 and hot fixed last January, was found in the HTTP Protocol Stack utilised as a command listener for processing HTTP requests by the Window IIS web server (Internet Information Services).
Accomplished abuse requires threat actors to distribute dangerously modified packets to targeted Windows servers, which utilise the flawed HTTP Protocol Stack for executing packages.
Microsoft advises users to prioritise repairing this vulnerability on all impacted servers since it could enable threat actors to remotely initiate arbitrary code in low difficulty campaigns and, in most situations, does not need any interaction with the device’s owner.
The effect mitigation for the critical vulnerability of Windows HTTP is available but for some versions only.
The vulnerability is not currently under attack, and there are no officially known exploits from threat actors. On a few Windows versions, such as Windows Server 2019 and Windows 10, the HTTP Trailer Support feature consisting of the flaw is not enabled by the system in default.
Deactivating the HTTP Trailer Support functionality will defend systems operating the two versions. However, this mitigation does not apply to other affected Windows versions.
While residential device owners are yet to employ the security updates, most entities will be protected from the recently discovered exploits, given that they do not usually operate the latest released versions of Windows.
Microsoft has fixed multiple wormable vulnerabilities in the last couple of years, affecting the Windows DNS server, the Remote Desktop Services platform, and the Server Message Block v3 protocol.
A researcher also pointed out another Windows HTTP RCE flaw back in May of last year. It was tracked by the researcher as CVE-2021-31166 and marked as wormable. The researcher also revealed a demo exploit code that could activate blue screens of death.
The threat actors have yet to abuse the flaws to develop wormable malware that can spread between flawed systems to operate on vulnerable Windows software.