Tom Talks Microsoft Teams and Skype for Business thoughts and news

MS15-034 / KB3042553 IIS Vulnerability affects Lync Servers: Get Patching Now

An Internet Information Server (IIS) vulnerability can be used to remotely crash Windows Servers. The patch was released on Tuesday (April 14th) as part of Microsoft’s Patch Tuesday.

Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 are all affected. HTTP.sys is used by any version of IIS running on one of these operating systems. HTTP.sys was introduced with IIS 6.

Patch details:

MSFT Security Bulletin:

Details from SANS:


Patch download:

Download 2012 and R2:

Download 2008 R2:


You could look at using Reverse Proxy rules to block this malformed URL request, but it appears to be pretty complicated. Best to get the patch out as soon as you can. Requires a server restart.

Since Lync Servers uses IIS, while this is not a Lync code issue, it does affect Lync Servers as lync Servers serve HTTPS content. It logically should mainly affect Front End/Standard Editions and Office Web Apps, but probably makes sense to patch the whole estate.


Proof of Concept

I have replicated the issue in my lab with curl and a specifically crafted URL (which I won’t post, as it took a little more crafting that what is public, but not much)



Running the curl Get against the pool with no credentials to the Server/Lync


System then reboots:



Requires Reboot

Verify Install (PowerShell):

Get-HotFix | Where-Object {$_.HotFixID -eq “KB3042553”}



After install the crafted URL had no impact:


About the author

Tom Arbuthnot

Tom Arbuthnot is Principal Solutions Architect at Unified Communications specialist Modality Systems. He is a Microsoft Certified Master and MVP, blogger, has a regular podcast with UCToday at and is a regular speaker at events including Microsoft TechEd and Ignite. He co-runs The Microsoft UC User Group London.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Tom Talks Microsoft Teams and Skype for Business thoughts and news