Hello, welcome to the Wednesday, May 12, 2021 edition of the Sandtorn and Storm Center's Stormcast.

My name is Johannes Ulrich, and the name I'm recording from Jacksonville, Florida.

Well, it's patched Tuesday, of course, and if you look at sort of the high-level summary,

this patched Tuesday actually doesn't look too bad. It's only 55

vulnerabilities patched, four of them are critical and three vulnerabilities were previously

disclosed, but none of them has so far been exploited. But once you look closer, you may

have discovered the remote code execution vulnerability in the

HTTP protocol stack or HTTP.Sys.

This is labeled as CVE 2021-166 and it's exploitable without any user interaction or authentication. So a neat, warmable vulnerability.

So what is HTTP.Sys? Well, HTTP.Sys is essentially the implementation of the HTTP protocol

stack that Windows is using. IIS, for example, is built on top of it, but not really clear if IS itself is sort of

vulnerable here, but pretty much anything that implements HTTP on Windows, which is a lot of

different piece of software, are likely using HTTP.sys and may be vulnerable here.

What may say if you here is that only specific Windows versions are vulnerable.

First of all, Windows 10, which of course may be used as a web server and often is,

but not doing that by default.

And then Windows Server 20-04 and 20 H2, which of course is the sort of latest and greatest

version of Windows server.

So you may not necessarily have upgraded to these versions.

So one of those rare occasions where keeping, staying a little bit behind the latest and greatest

versions, may actually help you.

Microsoft does rate exploitation of this vulnerability as more likely, and well, with a CVSS

...