Welcome to the sunlit uplands of HTTP/2, where a naughty request can send Microsoft's IIS into a spin

It's patching time again for Windows Server 2016 and Windows 10

By Richard Speed


Updated Oops! Microsoft has published an advisory on a bug in its Internet Information Services (IIS) product that allows a malicious HTTP/2 request to send CPU usage to 100 per cent.

An anonymous Reg reader tipped us off to the advisory, ADV190005, which warns that the condition can leave the system CPU usage pinned to the ceiling until IIS kills the connection.

In other words, a Denial Of Service (DOS).

HTTP/2 is a major update to the venerable HTTP protocol used by the World Wide Web and is geared toward improving performance, among other changes. Windows Server 2016 was the first Microsoft server product to support it, and Windows 10 (versions 1607 – 1803) is affected by the issue.

The problem, according to Microsoft, is that the HTTP/2 spec allows a client to specify any number of SETTINGS frames with any number of SETTINGS parameters. Those parameters usually include helpful stuff like the characteristics of the sending peer, and different values for the same parameter can be advertised by each peer.

Excessive settings can make things go a bit wobbly as IIS works on the request and sends the CPU usage sky high until a connection timeout is reached and the connection closed.

The good news is that this week's "non-security update" deals with the problem. Microsoft flung out patches on 19 February in the form of KB4487006, KB4487011, KB4487021 and KB4487029 to deal with it.

The company has added the ability to set thresholds on the number of HTTP/2 SETTINGS in a request but has declined to set any defaults, leaving it to the IIS Admin to configure.

This is assuming that administrators can actually find the setting. The link for the Knowledge Base article (KB4491420) that Microsoft suggested users review went nowhere at the time of writing, and the current documentation for IIS cheerfully tells admins that there are no new configuration settings specific to HTTP/2.

We've contacted Microsoft to learn more and will update with any response.

The issue itself was discovered by Gal Goldshtein of F5 Networks. ®

Updated to add at 15:13 UTC

After we brought the broken link to its attention, Microsoft posted the support article detailing defining those pesky thresholds.

Alas, there is no cosy GUI for admins. You'll need to edit a couple of registry entries and reboot to see the thresholds applied. As promised, Microsoft is not about to define any presets for the values. It's up to the admin to decide.

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Microsoft admits: Yes, miscreants leafed through some Hotmail, MSN, Outlook inboxes after support rep pwned

Email contents exposed for unlucky punters

Microsoft flings the Windows Calculator source at GitHub

Something about calc.exe bugging you? Get in there and fix it

Hitting Microsoft's metal: SUSE flings Enterprise Linux at SAP HANA on Azure

SUSECON '19 Fancy a slice of SLES for SAP?

On the eve of Patch Tuesday, Microsoft confirms Windows 10 can automatically remove borked updates

Install. Uninstall. Boot. Repeat

Microsoft unzips Zipline, lets world+dog have a go with cloudy storage compression tech

Updated Zipline, George and Bungle: It's a Rainbow* of open-sourcing at Redmond

Microsoft reckons the accursed Windows 10 October 2018 Update is finally fit for business

Only took five months, and look, 19H1's almost here

We all love bonking to pay, but if you bonk with a Windows Phone then Microsoft has bad news

Look, the platform is dead. Will you just move on already?

Microsoft partner portal 'exposes 'every' support request filed worldwide' today

Exclusive No customer data visible but hell's bells, Redmond, what have you borked now?

Home users due for a battering with Microsoft 365 subscription stick

Job opening at Redmond points to new consumer services

It’s baaack – Microsoft starts pushing out the Windows 10 October 2018 Update

Set to update automatically? Say hello to my little friend…