It seems to me that if you're running a vulnerable high-value server, the only option for you as an IT admin is to completely wipe the host hard drive and install everything from scratch--and even that may not be enough. Remote kernel code execution means an attacker could install malicious drivers, mess with device firmware, or do pretty much anything else the Windows kernel could do, no? It's a gamble to simply patch the server and hope you weren't already compromised; after all, how does one detect that remote kernel code execution occurred?
In a virtualized environment, I imagine blowing away any disks/volumes should be enough to recover from a potentially compromised system. That said, new Windows volumes (say, on EC2) should be created without inbound HTTP access, patched, and only then allowed to serve HTTP traffic.
In a virtualized environment, I imagine blowing away any disks/volumes should be enough to recover from a potentially compromised system. That said, new Windows volumes (say, on EC2) should be created without inbound HTTP access, patched, and only then allowed to serve HTTP traffic.