Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Welcome to the sunlit uplands of HTTP/2, where a naughty request can send Microsoft's IIS into a spin

It's patching time again for Windows Server 2016 and Windows 10

Richard Speed Thu 21 Feb 2019  //  11:59 UTC

Updated Oops! Microsoft has published an advisory on a bug in its Internet Information Services (IIS) product that allows a malicious HTTP/2 request to send CPU usage to 100 per cent.

An anonymous Reg reader tipped us off to the advisory, ADV190005, which warns that the condition can leave the system CPU usage pinned to the ceiling until IIS kills the connection.

In other words, a Denial Of Service (DOS).

HTTP/2 is a major update to the venerable HTTP protocol used by the World Wide Web and is geared toward improving performance, among other changes. Windows Server 2016 was the first Microsoft server product to support it, and Windows 10 (versions 1607 – 1803) is affected by the issue.

The problem, according to Microsoft, is that the HTTP/2 spec allows a client to specify any number of SETTINGS frames with any number of SETTINGS parameters. Those parameters usually include helpful stuff like the characteristics of the sending peer, and different values for the same parameter can be advertised by each peer.

Excessive settings can make things go a bit wobbly as IIS works on the request and sends the CPU usage sky high until a connection timeout is reached and the connection closed.

The good news is that this week's "non-security update" deals with the problem. Microsoft flung out patches on 19 February in the form of KB4487006, KB4487011, KB4487021 and KB4487029 to deal with it.

The company has added the ability to set thresholds on the number of HTTP/2 SETTINGS in a request but has declined to set any defaults, leaving it to the IIS Admin to configure.

This is assuming that administrators can actually find the setting. The link for the Knowledge Base article (KB4491420) that Microsoft suggested users review went nowhere at the time of writing, and the current documentation for IIS cheerfully tells admins that there are no new configuration settings specific to HTTP/2.

We've contacted Microsoft to learn more and will update with any response.

The issue itself was discovered by Gal Goldshtein of F5 Networks. ®

Updated to add at 15:13 UTC

After we brought the broken link to its attention, Microsoft posted the support article detailing defining those pesky thresholds.

Alas, there is no cosy GUI for admins. You'll need to edit a couple of registry entries and reboot to see the thresholds applied. As promised, Microsoft is not about to define any presets for the values. It's up to the admin to decide.
Send us news
11 Comments

Microsoft claims it didn't mean to inject Copilot into Windows Server 2022 this week

AI assistant turns up via Edge update. It was an accident. This time...

Microsoft gives Hyper-V ceilings a Herculean hike

Windows Server 2025 will let you run a VM with 2,048 vCPUs, 240 TB RAM, and 68 network adapters

Microsoft cannot keep its own security in order, so what hope for its add-ons customers?

Secure-by-default... if your pockets are deep enough

Researchers claim Windows Defender can be fooled into deleting databases

Two rounds of reports and patches may not have completely closed this hole

October 2025 will be a support massacre for a bunch of Microsoft products

Not just Windows 10. Don't forget about Exchange Server, Skype for Business, and all those Office installations

Microsoft is a national security threat, says ex-White House cyber policy director

With little competition at the goverment level, Windows giant has no incentive to make its systems safer

Open source versus Microsoft: The new rebellion begins

Neither side can afford to lose, but one surely must

Microsoft breach allowed Russian spies to steal emails from US government

Affected federal agencies must comb through mails, reset API keys and passwords

Microsoft shrinks AI down to pocket size with Phi-3 Mini

Language model focused on reasoning fits on a smartphone and runs offline

Now all Windows 11 users are getting adverts to 'make the Start menu great again'

And you thought the Bing begging was annoying

AI gold rush continues as Microsoft invests $1.5B in UAE's G42

Can regulators keep up?

Microsoft to use Windows 11 Start menu as a billboard with app ads for Insiders

This wasn't what most had in mind when Redmond promised to make the feature 'great again'