Security experts today called for Windows users to immediately patch one of the 26 vulnerabilities Microsoft disclosed two days ago.
SANS' Internet Storm Center (ISC) raised its threat level to Yellow as a signal of the seriousness of the bug, which is now being actively used in "Internet wide" scans to crash Windows systems. Among the more recent incidents that triggered a Yellow alert from the ISC was last year's Heartbleed vulnerability
"We are seeing active exploits hitting our honeypots," SANS said in a warning on its website.
Microsoft released a patch for the now-exploited vulnerability on Tuesday as part of its monthly security slate. The update, designated MS15-034, was rated "critical," Microsoft's most serious threat level.
Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2 are affected by the flaw, Microsoft said.
Since Tuesday, when Microsoft issued MS15-034 -- along with 10 other bulletins, three of which were also rated critical -- proof-of-concept (PoC) code has begun circulating on the Web, and as SANS said, is being used to crash vulnerable machines.
The patch-now urgency being pressed by security analysts and researchers stemmed not only from the known targets -- Windows systems, largely servers, running IIS (Internet Information Systems), Microsoft's Web server software -- but also because there is much unknown about the extent of the threat to the wider Windows ecosystem.
"It does affect all Windows systems that have software which accepts HTTP requests on Windows," said Johannes Ullrich, who heads the ISC. "[But] the library that is affected, HTTP.sys, is used by software other then IIS."
That's the problem, echoed Chet Wisniewski, a security researcher with Sophos. "There are so many things that could impact this," said Wisniewski. "Lync, for example, uses HTTP as a transport. I suspect that the patch-now calls are because we really can't define all the possible threats, since we can't say what may be on your machine."
In other words, although IIS servers are most at risk -- and are currently being targeted by the rudimentary attack code -- many other Windows systems may be as well.
Wisniewski cautioned against overreacting, however. "I think this would be minimized on a client," he said, referring to end user machines running Windows 7, 8 or 8.1. IIS is not enabled by default on those devices. "Clients are unlikely to have [an HTTP] listener activated."
Another security professional criticized Microsoft for leaving customers in the dark. "If only Microsoft still had a few SRD employees, there would be a useful blog post from them to definitively answer all this," said Andrew Storms, vice president of security services at New Context, a San Francisco-based security consultancy. SRD (Security Research & Defense) was a Microsoft blog, staffed by Microsoft security engineers, that provided detailed information about select security updates.
Sign up for CIO Asia eNewsletters.