Important Note: Critical Vulnerability in Microsoft’s HTTP.sys
On its Patch Tuesday in May, Microsoft released a security update that resolves a vulnerability (CVE-2021-31166) which could allow remote code execution in Window’s http.sys kernel module. According to Microsoft, only versions 2004 and 20H2 of Windows 10 and Windows Server are affected.
The http.sys kernel module is responsible for handling HTTP requests in Microsoft Windows. In addition to Microsoft’s Internet Information Server (IIS), many other programs may use this module indirectly to provide a webserver on Windows platforms. MailStore Server and the MailStore Service Provider Edition (SPE) also belong to that group whereas MailStore Gateway does not.
Customers, who use MailStore Web Access or MailStore Outlook Add-in to access their archives, are strongly recommended to apply the appropriate Windows Update on the MailStore Server system as soon as possible – notably in case MailStore is accessible from the Internet. Service Providers using the MailStore SPE should also deploy this update on their servers as soon as possible.
Further information regarding the vulnerability and how to obtain the required update are available in the Microsoft Security Response Center.