Skip to main content

Microsoft Windows Updates for MS15-034 and MS15-041


On April 14, 2015, Microsoft released an update to address a critical vulnerability in the HTTP protocol stack, HTTP.sys

SecureAuth recommends all customers apply the security update MS15-034 (KB3042553) to SecureAuth IdP Appliances within their infrastructure as soon as possible.Security experts, including the SANS Institute, have warned of publicly available denial-of-service exploits targeting Microsoft IIS Web servers in the wild.

Applies to

SecureAuth IdP Version

OS Version


  • Windows Server 2008

  • Windows Server 2008 R2

  • Windows Server 2012

  • Windows Server 2012 R2


MS15-034: HTTP.sys Remote Code Execution Vulnerability – April 14, 2015

A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who successfully exploited this vulnerability could execute arbitrary code in the context of the System account. To exploit this vulnerability, an attacker would have to send a specially crafted HTTP request to the affected system.


Apply MS15-034 Update as soon as possible – This update addresses the vulnerability by modifying how the Windows HTTP stack handles requests

Visit the SecureAuth Service Status & Alerts page for cloud services status, patching information and alerts


SANS Institute

MS15-034: HTTP.sys (IIS) DoS And Possible Remote Code Execution. PATCH NOW

Windows HTTP Protocol Stack Flaw is Being Actively Exploited (April 16, 2015)


MS15-034: HTTP.sys Remote Code Execution Vulnerability - April 14, 2015

Microsoft Security Bulletin MS15-034 - Critical