Just to clarify to everyone that this vulnerability has absolutely nothing to do... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		nbevans on April 16, 2015 \| parent \| context \| favorite \| on: Remote Kernel Code Execution Via HTTP Request In I... Just to clarify to everyone that this vulnerability has absolutely nothing to do with IIS web server. HTTP.SYS is not part of IIS. HTTP.SYS is the way HTTP/S hosting works on Windows. Any applications may use it, it is an API. HTTP.SYS is a clever idea as it allows the 80/443 ports to be used by multiple processes, as long as they register unique base URLs. What's not so clever about it is that despite rigorous testing and validation against its codebase, that something like this slipped through. Historically, HTTP.SYS has had a pretty good track record (against all the odds) until this week.

jenscow on April 16, 2015 [–]

So, IIS doesn't use http.sys?

nbevans on April 16, 2015 | [–]

It does. But this vulnerability is specifically with HTTP.SYS. HTTP.SYS is kind of like a SSL terminator and request router built into the OS.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact