Microsoft has fixed a dangerous bug in Internet Information Services (IIS) with its May "Patch Tuesday" updates, which received the identifier CVE-2021-31166. This vulnerability is one of the most serious issues fixed this month (9.8 out of 10 on the CVSS v3 scale).

The vulnerability is related to corruption of information in the memory of the HTTP protocol stack, which is included in all recent versions of Windows. This stack is used by Windows IIS server. If this server is enabled, an attacker can send a specially crafted packet to server and execute malicious code at the kernel execution level. Microsoft also warned that the vulnerability is wormable, in other words, it can be used to create malware auto-spreading between servers.

Last weekend, cybersecurity researcher Axel Souchet released a PoC exploit for CVE-2021-31166. The exploit's capabilities are limited: it does not allow to create complete worm, it only allows to crash an unpatched Windows system running an IIS server.

This vulnerability impacts only the latest versions of OS: Windows 10 versions 2004 and 20H2, and Windows Server versions 2004 and 20H2. Microsoft reminds that upgrade installation should not be delayed.

Source: xakep.ru