Remote Code Execution Vulnerability Found In Windows HTTP Stack

jones_supa writes: A remote code execution vulnerability exists in the Windows HTTP stack that is caused when HTTP.SYS parses specially-crafted HTTP requests. An attacker who has successfully exploited this vulnerability could execute arbitrary code under the SYSTEM context. Details of the bug are withheld, but exploit code is floating around. Microsoft describes the issue in security bulletin MS15-034. An update (KB3042553) is already available for all supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. As a workaround, Microsoft offers disabling IIS kernel caching.

I'm running Windows ...

[cablepokerface]

... so there is a solid 'no carrier' joke in there, I just can't think of o[NO CARRIER]

HTTP.SYS?

[GerbilSoft]

http://support.microsoft.com/e...

In Windows Server 2003 and later versions, Http.sys is the kernel mode driver that handles HTTP requests.

WHY is there a kernel mode driver for HTTP? That's literally begging for security holes.

Re:HTTP.SYS?

Because that makes it easier to share information across your lan when all the computers have an "http stack" rather than asking sys admins to install apache or some other dirty hippy app. The downside is that it makes it easier to share information across your lan.

Re:HTTP.SYS?

[ledow]

Internet-facing service running as SYSTEM.

Re:HTTP.SYS?

[abies]

Bundling http support with OS distribution is one thing. Making it _kernel_ module is different thing altogether.

Re: HTTP.SYS?

So it needs to run as System? It makes no sense to have http parsing in kernel space unless they were edging for performance. This should be at best a user space dll.

Re:HTTP.SYS?

[poizan42]

> IIS kernel caching For performance reasons probably. It's optional though. I have no idea about real numbers, but there is always some overhead associated with contex switches which may be reduced if the http stream is assembled in chunks in kernelspace and control is only switched to userspace when a chunk is ready. Also it may be possible to parse the http stream directly from the buffer that the hardware writes the received data to without the overhead of copying the packets to userspace.

Re:HTTP.SYS?

[Begemot]

WHY is there a kernel mode driver for HTTP? That's literally begging for security holes.

The reasons are clearly described here

Re: HTTP.SYS?

[poizan42]

The user context doesn't really matter when it runs in kernel space as nothing can stop you from just replacing the user context. Why http parsing is done in kernel space is exactly to maximize performance. As mentioned in TFS you can disable it if you want to. One could argue that it shouldn't be on by default because it doesn't give you much if you are serving dynamic content.

Re:HTTP.SYS?

[Dr_Barnowl]

And they're fucking stupid reasons.

HTTP requests are raw user input. You don't want raw user input anywhere near a kernel module.

Kernel-mode caching. Requests for cached responses are served without switching to user mode.

If you hadn't put an HTTP handler in the kernel, you wouldn't need a switch of context.

Kernel-mode request queuing. Requests cause less overhead in context switching, because the kernel forwards requests directly to the correct worker process. If no worker process is available to accept a request, the kernel-mode request queue holds the request until a worker process picks it up.

You could do that in a user process.

When a worker process fails, service is not interrupted; the failure is undetectable by the user because the kernel queues the requests while the WWW service starts a new worker process for that application pool.

You could do that in a user process too.

Requests are processed faster because they are routed directly from the kernel to the appropriate user-mode worker process instead of being routed between two user-mode processes.

And there's the real reason it's done - it should say "IPC sucks real bad in Windows, so we made this stupid, stupid, idiotic hack to try and compete with that other OS we're not mentioning."

Re:HTTP.SYS?

[PPH]

The reasons are clearly described here

I read through that and didn't see anything about "We're all idiots".

Their reasons involve context switching and interprocess communications. Context switching has got to happen (unless they run IE in kernel space) so just get it over with. Interproces communication has always been a weakness in Microsoft systems. Since day one. Multitasking OSs are here, folks. Get over DOS.

Re:HTTP.SYS?

HTTP requests are raw user input. You don't want raw user input anywhere near a kernel module.

All network input is raw user input, and all passes through a kernel module before being passed to the application in user mode. With varying levels of parsing of course. After all the kernel handles protocols like TCP IPSec etc. HTTP does seem a particularly complex protocol to implement in the kernel though, meaning more risk of bugs.

If you hadn't put an HTTP handler in the kernel, you wouldn't need a switch of context.

You would. This receives the network request and responds to it from a cached copy without passing the request to the web server. Not doing so would mean a context switch to the server application.

Requests are processed faster because they are routed directly from the kernel to the appropriate user-mode worker process instead of being routed between two user-mode processes.

And there's the real reason it's done - it should say "IPC sucks real bad in Windows, so we made this stupid, stupid, idiotic hack to try and compete with that other OS we're not mentioning."

You are misunderstanding the statement. This is not for IPC (it's for caching static content so useless as such). The 'appropriate user-mode worker[s]' they mean are a caching http proxy and http server. They have moved the caching proxy into the kernel. Of course you could also implement it within the server, but doing it in kernel means even less context switches to respond to a request from the network.

You could do that in a user process.

You could do that in a user process too.

Absolutely. It was done so first. This was purely done as an optimisation for high-volume environments. Doesn't mean it should be on by default.

Re:HTTP.SYS?

Ya, because Linux would never do something like that...

http://en.wikipedia.org/wiki/TUX_web_server

Re:HTTP.SYS?

WHY is there a kernel mode driver for HTTP? That's literally begging for security holes.

The reasons are clearly described here

They left out: * To provide the NSA, agencies of other governments, and random hackers the ability to root your system.

Re:HTTP.SYS?

[BreakBad]

Still waiting for my kernel level adware module, oh wait, this new feature can do that too! Yay.

Today's security patch is brought to you by Nike!!!

Re:HTTP.SYS?

[tlhIngan]

Their reasons involve context switching and interprocess communications. Context switching has got to happen (unless they run IE in kernel space) so just get it over with. Interproces communication has always been a weakness in Microsoft systems. Since day one. Multitasking OSs are here, folks. Get over DOS.

The bug here affects the HTTP server side, not IE.

And in HTTP servers, there are LOT of context switches - in basic static file handling mode, you read a file (syscall to read file), then you write it to a socket (syscall to write to socket). in effect, a webserver is just copying from two file handles, and incurring a kernel-usermode transistion twice every round.

Add in a moderately busy webserver and you could be spending significant amounts of time just switching between modes.

Using larger buffers helps, but if your site consists of lots of little files, it's still the bottleneck.

Linux has similar functionality - see sendfile(2) and splice(2), among other commands to actually manipulate in-kernel memory buffers.

In fact, doing it in the kernel has an added bonus - if you support zero-copy, no copies are made rather than potentially having to copy to/from userspace (more overhead).

Of course, in the Linux model, all the processing happens in user made and only the tedious file copying is accelerated which ups security.

Re:HTTP.SYS?

Bundling http support with OS distribution is one thing. Making it _kernel_ module is different thing altogether.

You mean like this?

http://lwn.net/Articles/580419...

Re:HTTP.SYS?

You mean where it was removed from the kernel into userspace because everyone realized it was a bad idea?

Re:HTTP.SYS?

[ledow]

OSI layering model?

The kernel shouldn't be peering into packets for data. It should (just/only) deal with the TCP packet information (and in a strictly confined way so you don't get things like the age-old flag attacks on TCP packets) and route accordingly.

It shouldn't ever be peering down into the HTTP packet itself and acting upon it as the attack surface is SO MUCH larger on a complicated application protocol.

P.S. What happens if SPDY becomes a standard? How does Microsoft migrate to HTTP/2 etc.? We're talking a KERNEL upgrade for an ever-evolving protocol, and that's just stupid.

But it's a good way to obsolete old OS, no doubt. Sorry, but Server 2008 can't handle HTTP/2 so we're just abandoning it - unless of course you want to turn off kernel-level IIS and run some dog-slow configuration, etc.

Putting something into the kernel just because it could mean less context switches in a particular application is a poor excuse and just shows bad respect for kernel-space.

Having it on by default is suicide.

Re:HTTP.SYS?

Performance. What makes iis out perform other web servers on windows is because it's connection queing is kernel level and not userland.

Re:HTTP.SYS?

In other words select() sucks.

Re:HTTP.SYS?

[NotInHere]

I have been told that Windows NT uses a microkernel, that it delegates most of its tasks to lower privileged processes. Now I hear that windows does http parsing in kernel space. HTTP PARSING. Not even systemd manages to do this. I would expect design descisions like this for DOS, but not for an OS that claims to have a microkernel.
Staying with my "monolithic" penguin OS.

Re:HTTP.SYS?

[poizan42]

Turns out it's not actually on by default. You have to add a caching rule and check the "Enable Kernel Caching" checkbox.

Re: HTTP.SYS?

[poizan42]

Let me correct myself here - it's not even on by default. You have to actually check a "Enable Kernel Caching" checkbox to turn it on. People are spending way too much time bashing a feature that's opt-in.

Re: HTTP.SYS?

For the same reason SSL is also done in the kernel: because I/O completion ports are very difficult to compose. If you want to make it easy to code for I/O completion ports, it makes sense to put all of these things in kernel space so you can more easily stack them.

Compare Unix polling APIs. It's much easier to stack them without creating callback hell, assuming they're designed correctly (restartable requests, not callback based).

Performance is another reason, but only because they're lazy. They could get just as good performance in userspace if they tried.

Re:HTTP.SYS?

[gweihir]

Because MS OS "architecture" sucks and they cannot match the performance of the competition without dirty tricks. These tricks come at a high price with regards to security.

Re:HTTP.SYS?

Damn TUX!

Re:HTTP.SYS?

For the love of bob, STOP INTERRUPTING THE OPEN SORES MICROSOFT BASHING CIRCLE JERK! We will soon be polishing Linus' knob.

Herp derp herp derp herp derp derp herp derp herp derp derp herp derp herp derp

Re:HTTP.SYS?

[operagost]

Pretty much everything you have just said is wrong. NT is not a microkernel, and if it ever was, it stopped being do by NT 4.0. And the parsing is not done in kernel space. HTTP.SYS is not a parser, it is a listener.

Re:HTTP.SYS?

[ledow]

I have never ticked that box.

Yet my servers have it on.

I'm not saying you're lying, but something, somewhere turned that on and it wasn't me.

Re: HTTP.SYS?

Let me correct myself here - it's not even on by default. You have to actually check a "Enable Kernel Caching" checkbox to turn it on. People are spending way too much time bashing a feature that's opt-in.

I did not opt-in and it is on, I checked several of our IIS Web servers all have it turned on and we did not opt-in to that.

Re:HTTP.SYS?

According to this page IT IS on by default.

https://technet.microsoft.com/en-us/library/cc731903%28v=ws.10%29.aspx

"By default, kernel caching is enabled in IIS 7. "

Re:HTTP.SYS?

[NetCow]

It's on by default in 2008, 2008R2, Vista, 7. Quoth Enable Kernel Caching (IIS 7):

Note: By default, kernel caching is enabled in IIS 7.

Re:HTTP.SYS?

[NetCow]

I completely agree with you that doing complex parsing in the kernel is stupid. And I'll make your day just that little bit worse:

Remember TTF and OTF which evolved into WOFF? Those flexible but very complex font file formats, optionally with bytecode that's actually JITted? That can be embedded into webpages therefore are interpreted by the underlying font rendering services regardless of browser used?

Windows parses them in the kernel.

Re:HTTP.SYS?

Actually, you are the one who is wrong. NT was designed as a microkernel and remains so. This has been endlessly documented and commented on for, what, 20 years? But do carry on.

Re: HTTP.SYS?

[deek]

Actually, according to the Microsoft Technet article linked in the story, kernel caching is enabled by default in IIS 7.

Re:HTTP.SYS?

[cant_get_a_good_nick]

1) Literally?

2) This is actually pretty common, witness the TUX Linux kernel web server a few years ago.

Why? the same reason anything is dumped into kernel mode. Speed. Got a few thousand hits per second? Drop your userspace code into kernel space, and now you're eliminating a few thousand user-kernel space swap outs per second. Problems? Yeah, lets have a fairly complicated protocol that is designed to be poked at (and therefore hacked at) remotely dropped into the kernel. That and complicated data structures and kernel memory management don't mix well sometimes.

I agree with you. I thought TUX was a bad idea when it came out. Now imagine a new protocol without all the design bugs sorted out, without all the implementation bugs sorted out (i'm looking at you HTTP/2.0 SPDY) dropped into the kernel.. Oy Vey! the pain!

Re:HTTP.SYS?

[cant_get_a_good_nick]

You could have apache installed by default (witness MacOS X) and run from userspace, you don't need it in the kernel by default.

Re:HTTP.SYS?

[rdnetto]

The reasons are clearly described here

I read through that and didn't see anything about "We're all idiots".

Their reasons involve context switching and interprocess communications. Context switching has got to happen (unless they run IE in kernel space) so just get it over with. Interproces communication has always been a weakness in Microsoft systems. Since day one. Multitasking OSs are here, folks. Get over DOS.

If your context switches are too slow, the correct solution is to fix the kernel or add syscalls to reduce the overhead (see sibling post). Moving parts of your application into kernel-space is bad design no matter how you look at it. (Besides, wasn't it only a few years ago they had a vulnerability in their kernel-mode font driver?)

Why the hell ...

[gstoddart]

Why oh why would you put the parsing of HTTP at the kernel level?

Why does Microsoft consistently fail to understand that if you make something inherent to the OS it becomes a bigger security risk?

This just makes no sense to me, no more than embedding IE so deeply into the OS they said they couldn't remove it.

This is the kind of stuff which needs to be in userspace, not the friggin OS.

Re:Why the hell ...

Why does Microsoft consistently fail to understand that if you make something inherent to the OS it becomes a bigger security risk?

C'mon man - stop with the bullshit pretending that Microsoft doesn't work closely with spy agencies to embed vulnerabilities. Grow a pair and face reality.

Re:Why the hell ...

[Z00L00K]

It's easier that way - no need to be concerned with rights management. You can also get performance benefits from having it as a kernel driver.

But we also see the disadvantages - security holes.

I suspect that this also influences Windows XP, and it's quite interesting that a lot of ATMs and other embedded systems still uses XP.

Re:Why the hell ...

[Khyber]

Given Windows Server 2003 is vulnerable but no mention of Windows 2000, the only version of XP that would likely be affected would be the x64 version, which was built on 2K3 Server. Vanilla XP was built on Windows 2000.

Re:Why the hell ...

[Grishnakh]

I disagree; I applaud MS's decision to put it in the OS kernel, and I think they should move more stuff there, security be damned. I just wish they'd be more honest and tell everyone that they really don't care about security.

Then, anyone who continues to use MS products will get what they deserve.

Re:Why the hell ...

According to an interview with a developer of windows, "this was done to entirely for performance reasons"

Re:Why the hell ...

Just wait till you see all the embedded crap in Windows 10

Re:Why the hell ...

[wonkey_monkey]

I wouldn't count on that logic:

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected.

XP and 2000 certainly fall into one of those categories...

Re:Why the hell ...

[ITRambo]

This may be one unfortunate result of Bill Gates integrating IE deeply into Windows in order to crush Netscape, and not be nailed by the Feds for doing so in United States v. Microsoft Corporation in 2001.

Re:Why the hell ...

After 20+ years of similar headlines, I should think anyone willing to learn, did.

Re:Why the hell ...

[Grishnakh]

Another typical Microsoft shill. How much do they pay you to sit around and troll message boards?

Re:Why the hell ...

[Grishnakh]

Exactly. This lackadaisical attitude towards security is par for the course with them.

Re:Why the hell ...

[Just+Some+Guy]

Why oh why would you put the parsing of HTTP at the kernel level?

They probably saw that FreeBSD has been doing it for 15 years and thought it might be a good idea.

This is the kind of stuff which needs to be in userspace, not the friggin OS.

Apparently not everyone agrees with that.

I'm in no way a Microsoft apologist, but it's not like a senior engineer rolled out of bed one morning, smoked some crack, and yelled "hey, let's break some crap today!" Lots of stuff is done in kernel mode in Linux and the BSDs - like all kinds of graphical mischief - and MS probably does the same things for the same reasons.

Re:Why the hell ...

[ArchieBunker]

Give it up already. You really think there are paid shills on this poor excuse for a website? How many visitors does Slashdot get per day compared to some place like Reddit? I'm sure Linux will be the dominant desktop OS any decade now.

Re:Why the hell ...

This is the year of the linux desktop. Just like last year. And the year before. And the year before. We have also always been at war with Eastasia.

Re:Why the hell ...

Did you even bother to note that this driver deals ONLY with static delivery of cached web content AND that it requires the user to create a caching rule AND enable caching via a checkbox that is off unless the user enabled it?

Or is that far too much nuance for an old blind troll like yourself? Time to crawl back under your bridge and back to your CLI-based demesne.

-AC

Re:Why the hell ...

[operagost]

No, Windows 2000 Professional was built on Windows 2000.

Re:Why the hell ...

[Zordak]

but it's not like a senior engineer rolled out of bed one morning, smoked some crack, and yelled "hey, let's break some crap today!"

How else do you explain WindowsME and Vista?

Re:Why the hell ...

[operagost]

They're not parsing HTTP in the kernel. HTTP.SYS is a listener.

Re:Why the hell ...

[Just+Some+Guy]

How else do you explain WindowsME and Vista?

I don't, and neither can anyone else.

Re:Why the hell ...

They probably saw that FreeBSD has been doing it for 15 years and thought it might be a good idea.

Yes, but that's a BSD. A real OS. We're talking Windows here. Those warnings about this stunt being performed by trained professionals on a closed track and not trying this at home just because it looks cool is there for a reason folks!

Re:Why the hell ...

[cant_get_a_good_nick]

They probably saw that FreeBSD has been doing it for 15 years [freebsd.org] and thought it might be a good idea.

Though I thought of this too, it's a majorly different level of parsing, and therefore much smaller attack surface.

MS has a full HTTP stack in the kernel. FreeBSD accept filters (including the http_filter) do a minimal check, then pass the full request to userspace - no heavy parsing in the kernel. I think the http_filter just looks for GET/HEAD/WHATEVER_SCHEME and a few other minimal things, and then tells httpd "here ya go"

Re:Why the hell ...

[Just+Some+Guy]

That's true, but I see it as a matter of degree. Windows does a lot more, sure, but FreeBSD is still doing some HTTP parsing in a kernel module.

Hmm

[koan]

I'm against "withholding details" if anything there should be an established web page that release the exploit as soon as it is found FORCING M$ and Apple to take it more seriously.

char request1[] = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-18446744073709551615\r\n\r\n";

Re:Hmm

[ledow]

And the problem is - that's a well-documented problem with other web servers historically and quite simple bounds-checking at fault there.

Seriously,MS, audit your damn basics occasionally.

I always shudder when I think of the MS software operating on the frontline of a businesses Internet connection.

Re:Hmm

[SirAudioMan]

Me too! Me too!

Re:Hmm

I'm against "withholding details" if anything there should be an established web page that release the exploit as soon as it is found FORCING M$ and Apple to take it more seriously.

char request1[] = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-18446744073709551615\r\n\r\n";

That's not enough information. What happens after that request is sent? Where does the attacker place the x86 code he wants to execute?

Re:Hmm

[jo_ham]

I'm against "withholding details" if anything there should be an established web page that release the exploit as soon as it is found FORCING M$ and Apple to take it more seriously.

char request1[] = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-18446744073709551615\r\n\r\n";

How are they not taking it seriously? The summary mentions that patches are already available, plus a method to prevent the exploit occurring on a non-patched machine.

What else did you want them to do to prove they were taking the exploit seriously?

Re:Hmm

I'm against "withholding details"

So you want the precise exploit details to be published by Microsoft? What would this accomplish but just cause more damage? The problem has been fixed, let's move on. There's no need to wank more around it.

Did you know that even in open source there is constantly discreet security patches which might show in changelog as "security improvements" but no big detailed announcement is made about them.

Re: Hmm

Not implement the shit in kernel space to begin with is a start. We see microsofts true colors here. Performance > Security every single time. Twice on patch Tuesday's ;)

Re:Hmm

[koan]

What else did you want them to do to prove they were taking the exploit seriously?

Well I'm not writing a book for you, and someone else already covered an example.

Why don't you tell me the answer to your questions.

Re:Hmm

[WaffleMonster]

char request1[] = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-18446744073709551615\r\n\r\n";

Brings back old memories of web servers losing their marbles after seeing post requests with maliciously selected content-length headers. Guess some never learn.

Re:Hmm

[jo_ham]

What else did you want them to do to prove they were taking the exploit seriously?

Well I'm not writing a book for you, and someone else already covered an example.

Why don't you tell me the answer to your questions.

This isn't a test. What is this? High school?

The fact that you're being acutely defensive suggests to me that you just wanted to engage in some good old fashioned Microsoft bashing with nothing constructive to add in the safety of slashdot.

As far as how I would answer my own question, based on my original assertion that they have already taken it seriously; nothing.

However, since you suggested that they have not taken the exploit seriously enough, I wondered how exactly our positions differed (since I can't read your mind) and what exactly they would have to do so that you and I agreed that they were taking it seriously enough.

Remember, I already think they are taking it seriously enough based on the release of patches back to win 7 and a workaround given for non-patched machines, so my answer is "nothing", but that clearly can't be your answer because otherwise we'd agree.

Re:Hmm

[koan]

Or am I...

Re:Hmm

[koan]

I miss winnuke and IRC.

Vulnerabilities are profitable.

WHY is there a kernel mode driver for HTTP? That's literally begging for security holes.

Microsoft makes more money if there are vulnerabilities. Many people with corrupted computers buy new computers.

Don't see what the big deal is...

[alexjplant]

Just REM it out of your AUTOEXEC.BAT, flip the power clunker... er, switch, then flip it back on. Problem solved! Nobody will be able to h4x0r your beige box ever again! ...oh, sorry. I saw .SYS and thought we were stuck in 1996 AD.

Re:Don't see what the big deal is...

[__aabppq7737]

there is no autoexec.bat in windows NT

Re:Don't see what the big deal is...

Why are you still using NT? It was EOL'd years ago!

Re:Don't see what the big deal is...

"Windows NT" includes basically... every Windows OS since 1993 to date; including Windows 10 that hasn't even come out yet.

So, no. It wasn't EOL'd, as you so put it.

Re:Don't see what the big deal is...

Oh my god you're a fucking idiot.

Re:Don't see what the big deal is...

Hi pot, meet kettle.

Re:Don't see what the big deal is...

[operagost]

My media center said GRUB when I turned it on, so I thought we were back in 1999.

Re:Don't see what the big deal is...

[steelfood]

You joke, but some parts of Windows actually are stuck in 1996. And that's not even getting into userspace apps.

Re:Don't see what the big deal is...

thought we were stuck in 1996 AD.

I can confirm. We are stuck in the 1996 version of Active Directory.

Re: Don't see what the big deal is...

[mordjah]

wooosh!

This was already covered...

[__aabppq7737]

Yesterday

Re:This was already covered...

[wonkey_monkey]

This was already covered...

It wasn't covered. It looks like your submission didn't make it out of the firehose, probably because, to be bluntly honest, it's not very well written.

Re:This was already covered...

[jones_supa]

I loved the "RESTART YOUR SYSTEMS IMMEDIATELY" part. That would have kicked ass in the front page.

Who's laughing now?

[AndyKron]

Most people laugh at the Amish, but they're laughing at us.

Re:Who's laughing now?

[NotInHere]

Who's laughing now?

Linux users.

Re:Who's laughing now?

Friends don't let friends use IIS

Re:Who's laughing now?

Who's laughing now?

Linux users.

Both of them?

Re:Who's laughing now?

Because they've had a kernel web server for years.

Re:Who's laughing now?

[operagost]

The Amish have REALLY slow web servers. The latency of those horse-drawn wagons is really bad, but on the bright side they are pretty big so the bandwidth is good if you use really small type on the hand-operated printing press.

Also, kernel panics are rare-- usually just when it's the end of the corn growing season, and some idiot on a motorcycle spooks the horse.

Re:Who's laughing now?

And the one Minix user.

*ahem*

[ArchieBunker]

Did you forget about kHTTPd?

Re:*ahem*

[Penguinisto]

Nope, but you're comparing apples to electric chairs, and here's why:

"kHTTPd handles only static (file based) web-pages, and passes all requests for non-static information to a regular userspace-webserver such as Apache or Zeus."

...from the kHTTPd site page, right up front.

IIRC, The 'doze version tries to handle and serve *all* requests, for *anything* httpd-related (because, as an above poster had aptly mentioned, Windows IPC basically blows goats.)

Re:*ahem*

Umm....IIS is a userspace-webserver.

It's only the parsing of the HTTP request that is done in kernel. kHTTPD (or TUX) would have to do the same, just to determine whether the request is static.

Re:*ahem*

[poizan42]

The kernel driver only handles cached pages. It does less than kHTTPd.

Tux?

How does this compare to Tux?

A flaw in *WINDOWS*?!

[BronsCon]

For all the trolls that keep screaming about how insecure Linux is when a vulnerability is discovered in something like Bash (which is used by the BSDs, including OSX, and can also run on Windows), OpenSSL (a library used by many applications which run on many platforms, but not used by Linux itself), or any other library or application capable of running on the platform, please allow me to take thos opportunity to point out that this is a critical vulnerability in Windows itself and not just some 3rd-party application or library. Still feel superior? Also consider that Windows libraries and applications are rife with exploits, as well.

Now that the trolls are dealt with, let me point out that every platform has flaws. Every single one. They were all written by humans and humans are inherently flawed. That's just a fact of life. Further, an operating system is a god damn tool, not an ideology. Who cares if someone uses Craftsman, Snap-On, or generic stuff from Harbor Freight? Nobody. So why all the fighting between over OSes? It's a tool, you pick the one that works best for you for a particular task, and you use it. Who gives a flying rat's ass what tool someone else decides to use for whatever task(s) they need to carry out?

Personally, I use whatever OS suits a given task. For me, it's (currently, as this has been known to change as each platform improves) OS X for the desktop, Linux for my servers (though I've been eying a jump to one of the BSDs lately), and Windows pretty much for testing and the handful of occasional-use apps that don't run anywhere else. Windows isn't a tool I have much of a use for these days, but it's still just a tool and, while I feel there are better options, I recognize that those aren't options for everyone, so, let them use Windows if they so choose (or require).

I'm really not sure what's so difficult about that.

Re:A flaw in *WINDOWS*?!

[The-Ixian]

I have been saying this for years and I almost believe it myself now.
 
The fact is, I have biases and these biases shift over time.
 
I always tell myself that I am giving people the best advice I can, but upon self analysis, I hardly ever recommend MACs to people because I just sort of don't like Apple because of encounters I have had over the years with zealot fanboys. I sort of have the same feelings toward Cisco.... every Cisco tech I have ever met looked down their nose at me... for that reason I normally deploy Adtran, HP or SonicWALL.
 
I guess my point is that we all like to think that we are being unbiased and use the tools that work best, but my feeling is that most people just end up using the tools they are most comfortable with and carry stories that help justify their decisions.

Re:A flaw in *WINDOWS*?!

[BronsCon]

That may be true for most people, but as someone who uses *all* of the tools, I can tell you I'm certainly using the ones that work best. Your Cisco example is weak simply for the fact that part of "working" is being supported comfortably, which is clearly not the case for you when it comes to Cisco gear, so Cisco simply doesn't work for you. That's fair, as well.

I totally get the issues with zealotry amongst Apple users. I have a friend who thinks Apple can do no wrong; he's one of the brightest people I know and it pains me to see him so blindly following when I've come to know him as a leader. That doesn't stop me from using the tools, though, i just know I have to be careful in how and when I go about suggesting them.

Re:A flaw in *WINDOWS*?!

Honestly, I'd say a single remotely exploitable flaw found in a well publicized and notorious component that has been in production for over a decade is pretty darn good. People were claiming that http.sys would result in constant massive kernel exploits back in 2002/2003.

Of course it's still one flaw too many.

DEVELOPERS! DEVELOPERS! DEVELOPERS!!!!

For the average windows developer security & adherence to protocols means nothing. http has been around for almost 40 years.........

Because competing on an even playing field is hard

[EndlessNameless]

Microsoft introduced HTTP.SYS in Server 2003 to improve IIS 6.0 performance. They really wanted to beat Apache.

Each application pool has a dedicated request queue in HTTP.SYS, which provides very fast and low-latency network performance. This advantage may have been more significant on the slower machines of the time than it is today.

I am not a web developer or web admin, so I don't know how important the performance is---but I doubt it outweighs the security shortcomings.

As other OS functions (such as Windows Update) use the functionality provided by HTTP.SYS, this insecure design is difficult to fix.

It was done for speed... apk

See subject: It's a fact, used to be in usermode (Linux does it the same in kernelmode too).

APK

P.S.=> Thank goodness there's a work-around https://technet.microsoft.com/... (disabling the caching shown there) AND also, A FIX EXISTS ALREADY https://www.microsoft.com/en-u... also ... apk

Correct & Incorrect... apk

See subject: Patch exists already https://www.microsoft.com/en-u... (I had it on Patch Tuesday yesterday).

(That's your "Incorrect")

Your "CORRECT" was what I alluded to (except I stated it was Linux doing it that way, when YOU are MORE CORRECT than I was, stating it's Apache) here -> http://tech.slashdot.org/comme...

* "Tit for tat", & that's that...

APK

P.S.=> I am GLAD I ran into your post - I assumed Linux was like Windows Server is, having it's OWN (literally it's own, not 3rd party app on distro media possibly, or rather, as you point out) webserver, when in reality, it's Apache - I did however correctly REMEMBER THE REASON WHY it was done: SPEED... apk

Doesn't matter: A patch exists... apk

See subject: It was out yesterday/"Patch Tuesday" -> https://www.microsoft.com/en-u... already... so the "Pro-*NIX" trolls so-called 'point' would be MOOT...

APK

P.S.=> This article makes it SOUND as if it's "just happened & wasn't patched" which is purest b.s. ... apk

Re:Doesn't matter: A patch exists... apk

[BronsCon]

Oh, wow, I got a response from the famed APK. I feel like I should be honored and, yet, I'm not.

Somehow, Heartbleed and Shellshock mattered, even though they were patched the very same day they were disclosed, but this doesn't matter for the same reason?

As for your claim of purest bullshit, I'm pretty sure the summary clarified that there was a patch already available by stating:

An update (KB3042553) is already available

with the caveat of only being available for:

all supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

Looks like the ~17% of users still on XP are boned this time. I see why you say the *NIX "trolls" don't have a valid point here, though, I mean only nearly 1/5 of all computers, globally, will remain unpatched.

Doesn't matter: Patch exists... apk

See subject: It was out yesterday/"Patch Tuesday" -> https://www.microsoft.com/en-u... already...

It was done for speed/performance (used to be in usermode, iirc, sub/pre IIS6 - but to keep up with Apache, they copied them, & moved it to kernelmode - & yes, they did get MORE speed that way).

APK

P.S.=> This article makes it SOUND as if it's "just happened & wasn't patched" which is purest b.s. - again, I had this patch yesterday already ... apk

Was done for speed (fix exists too)... apk

See subject: It was out yesterday/"Patch Tuesday" -> https://www.microsoft.com/en-u... already...

It was done for speed/performance (used to be in usermode, iirc, sub/pre IIS6 - but to keep up with Apache, they copied them, & moved it to kernelmode - & yes, they did get MORE speed that way).

---

In fact, I spoke about this, here on /., YEARS ago circa 2005 saying "MS COPIED LINUX" (when it's really apache) -> http://linux.slashdot.org/comm... WHILE I POINTED OUT THINGS Linux COPIED from MS as well!

"Ms did something that was copied from Linux too - that's moving IIS' http.sys into kernel mode/RPL0/Ring 0 operation, since it is faster for server-side webpage data caching... " - by Anonymous Coward on Saturday August 27, 2005 @08:42AM (#13414756)

There ya go...

APK

P.S.=> This article makes it SOUND as if it's "just happened & wasn't patched" which is purest b.s. - again, I had this patch yesterday already ... apk

Apache does it too

See subject, & this buddy -> http://tech.slashdot.org/comme...

I noted it YEARS ago in 2005 (for performance purposes) -> http://linux.slashdot.org/comm...

(Except I said it was something Linux did instead, since distros ship w/ "everything under the sun" in a post I did in 2005 in fact, showing what Linux copied from Windows (being fair, I noted what MS copied from Open SORES in Apache too)).

APK

P.S.=> What I didn't LIKE was how this article *TRIED* to make it sound as if this is NOT patched too, & it was yesterday on "MS Patch Tuesday" -> https://www.microsoft.com/en-u...

... apk

XP's no longer supported... apk

Circa 2005 I stated why this was done (Apache does same thing) -> http://linux.slashdot.org/comm... AS I POINTED OUT THINGS Linux COPIED from MS as well!

"Ms did something that was copied from Linux too - that's moving IIS' http.sys into kernel mode/RPL0/Ring 0 operation, since it is faster for server-side webpage data caching... " - by Anonymous Coward on Saturday August 27, 2005 @08:42AM (#13414756)

Also - See subject? Good! "Drink it in, & digest it"...

HTTP.SYS was moved to kernelmode for speed/performance (used to be in usermode, iirc, sub/pre IIS6 - but to keep up with Apache, they copied them, & moved it to kernelmode - & yes, they did get MORE speed that way).

In 2005, I stated "linux does it", when it's really apache, but since Linux comes with "everything under the sun" in a distro image, I'd be right most likely there too anyhow.

Lastly, see subject: "Drink it in, & digest it...", it's fact.

APK

P.S.=> This article makes it SOUND as if it's "just happened & wasn't patched" which is purest b.s. - again, I had this patch yesterday already ... apk

Re:XP's no longer supported... apk

[BronsCon]

Also - See subject? Good! "Drink it in, & digest it"...

I've been off of XP for years, but nearly 1/5 of computers still use it. I don't see how you can say it doesn't matter that nearly 1/5 of computers in the world will go unpatched.

This article makes it SOUND as if it's "just happened & wasn't patched"

And the summary (which is what most of us read anyway) does not. The first two words of the article article (actually some guy's blog post) are "Patching time." That's followed by a quote from the MSSB about the exploit, then "Details are withheld for now, so it's a race: patch your systems before the attackers can reverse engineer the Windows patch." The rest of the post consists of links to the MSSB and CVE for the exploit; the post was later updated with exploit details. I'm not quite sure how directly mentioning patching your systems, and saying it's a race between you (getting your systems patched) and hackers (reverse engineering the patch) implies that a patch doesn't exist; in fact it straight-up says a patch does exist.

You know, I never understood why people seemed so annoyed by your posts. I've always found you somewhat entertaining. But, then, this is the first time you've replied to one of my posts. Now I get it. Don't you have a HOSTS file to update or something?

Don't put words in my mouth I never said

"I don't see how you can say it doesn't matter that nearly 1/5 of computers in the world will go unpatched." -

See subject & that quoted from you above: I merely stated fact (get over it).

---

"Don't you have a HOSTS file to update or something?" - by BronsCon (927697) on Thursday April 16, 2015 @11:18AM (#49485815)

Don't you have something BETTER to show for yourself than this -> http://start64.com/index.php?o...

"?"

(No, you don't... & you never will - you don't have the skills necessary to create something that good )

It's SO good, that a subsidiary of the TOP antivirus/antispyware/antimalware (malwarebytes http://www.av-test.org/en/news... per that very recent test ) on the planet's employees host & RECOMMEND it @ the top of their website-> http://hosts-file.net/?s=Downl...

APK

P.S.=> I find it entertaining when a "ne'er-do-well" tries to put words in my mouth I never stated, & also doesn't have a pot to piss in by comparison to wares I've done (that you never have OR will)... apk

Re:Don't put words in my mouth I never said

[BronsCon]

See subject & that quoted from you above: I merely stated fact (get over it).

What fact, that XP is no longer supported? I never argued that. I also stated a fact: XP is still used on ~17% of computers worldwide. I'll let you (Mr. Security Guy) soak that up.

Don't you have something BETTER to show for yourself than this

No, you don't... & you never will - you don't have the skills necessary to create something that good )

I hope you choke to death on your ego. You don't know me, nor what skills I have; did it ever cross your mind that I'm not some egomaniac, like you, who needs to flaunt my "skills" to feel good about myself? Only my employer, clients, and prospective clients (none of which includes you) need to know that. Your app looks like a piece of shit our of the 90's, by the way; I'm pretty sure you have better things to do than be a dick on Slashdot (like, maybe, fix your app's UI), so why don't you do that?.

P.S.=> I find it entertaining when a "ne'er-do-well" tries to put words in my mouth I never stated, & also doesn't have a pot to piss in by comparison to wares I've done (that you never have OR will)... apk

What words did I put in your mouth? As for the number of pots I have to piss in, not that it's relevant, but I'm in the process of upgrading to a bigger box with more piss pots as I type this. Again, you don't know me, but keep trolling. With your propensity for lashing out with unprovoked personal attacks, it's a wonder you don't spend more time in the hospital; I'm guessing you only behave so disrespectfully online? Let me tell you, it doesn't instill confidence in the quality of your software.

I used to think you were, at least, entertaining. Then you replied to one of my comments and I suddenly lost all respect for you. Seriously, seek help dude. And there was really no need for you to make this personal, especially given that you don't know me.

Don't say I said "it's not important"

See subject: Drink it in & digest it - I never ONCE said that (you're vainly *trying* to put words in my mouth I never ONCE said, fool... no dice/no go, you FAIL... & you KNOW it).

---

"I hope you choke to death on your ego." - by BronsCon (927697) on Friday April 17, 2015 @11:41AM (#49493847)

LMAO - I knew it: You're like ALL big-mouthed trolls - lots of HOT AIR & nothing to show for it... lol!

---

"You don't know me, nor what skills I have" - by BronsCon (927697) on Friday April 17, 2015 @11:41AM (#49493847)

No, I truly DO know you: You are EXACTLY what you've shown me you are - a BLOWHARD with nothing he can demonstrate that's better than my program (& yet you *try* to put it down OR make some joke of it, lol, when the JOKE IS ON YOU, Mr. "ne'er-do-well" ZERO bigmouth!).

---

"did it ever cross your mind that I'm not some egomaniac, like you, who needs to flaunt my "skills" to feel good about myself?" - by BronsCon (927697) on Friday April 17, 2015 @11:41AM (#49493847)

No, not at all: What crossed my mind was that I KNEW I could show you're a LOT OF TALK, no action... & I was right.

---

"Only my employer, clients, and prospective clients (none of which includes you) need to know that." - by BronsCon (927697) on Friday April 17, 2015 @11:41AM (#49493847)

Really? Where are they?? My guess??? They don't exist... just like your "program" doesn't, lol!

---

"Your app looks like a piece of shit our of the 90's, by the way;" - by BronsCon (927697) on Friday April 17, 2015 @11:41AM (#49493847)

Really? Let's see yours to compare to it then... oh, that's RIGHT: YOU DON'T HAVE ONE! All you've got is being a troll that's all out of gas (or rather BLOWHARD hot-air, lol!)!

* PROVE OTHERWISE - show me.

---

"I'm pretty sure you have better things to do than be a dick on Slashdot (like, maybe, fix your app's UI), so why don't you do that?." - by BronsCon (927697) on Friday April 17, 2015 @11:41AM (#49493847)

Speak for yourself: What are YOU doing, asswipe?

APK

P.S.=> Clue: BEING A NITPICKING DICK that tried to put words in my mouth I NEVER ONCE STATED & also proving yourself a bigmouth with nothing to show that's better than my stuff is... period... apk