Welcome to the sunlit uplands of HTTP/2, where a naughty request can send Microsoft's IIS into a spin

It's patching time again for Windows Server 2016 and Windows 10

By Richard Speed


Updated Oops! Microsoft has published an advisory on a bug in its Internet Information Services (IIS) product that allows a malicious HTTP/2 request to send CPU usage to 100 per cent.

An anonymous Reg reader tipped us off to the advisory, ADV190005, which warns that the condition can leave the system CPU usage pinned to the ceiling until IIS kills the connection.

In other words, a Denial Of Service (DOS).

HTTP/2 is a major update to the venerable HTTP protocol used by the World Wide Web and is geared toward improving performance, among other changes. Windows Server 2016 was the first Microsoft server product to support it, and Windows 10 (versions 1607 – 1803) is affected by the issue.

The problem, according to Microsoft, is that the HTTP/2 spec allows a client to specify any number of SETTINGS frames with any number of SETTINGS parameters. Those parameters usually include helpful stuff like the characteristics of the sending peer, and different values for the same parameter can be advertised by each peer.

Excessive settings can make things go a bit wobbly as IIS works on the request and sends the CPU usage sky high until a connection timeout is reached and the connection closed.

The good news is that this week's "non-security update" deals with the problem. Microsoft flung out patches on 19 February in the form of KB4487006, KB4487011, KB4487021 and KB4487029 to deal with it.

The company has added the ability to set thresholds on the number of HTTP/2 SETTINGS in a request but has declined to set any defaults, leaving it to the IIS Admin to configure.

This is assuming that administrators can actually find the setting. The link for the Knowledge Base article (KB4491420) that Microsoft suggested users review went nowhere at the time of writing, and the current documentation for IIS cheerfully tells admins that there are no new configuration settings specific to HTTP/2.

We've contacted Microsoft to learn more and will update with any response.

The issue itself was discovered by Gal Goldshtein of F5 Networks. ®

Updated to add at 15:13 UTC

After we brought the broken link to its attention, Microsoft posted the support article detailing defining those pesky thresholds.

Alas, there is no cosy GUI for admins. You'll need to edit a couple of registry entries and reboot to see the thresholds applied. As promised, Microsoft is not about to define any presets for the values. It's up to the admin to decide.

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Microsoft giveth and Microsoft taketh away: Partner boss explains yanking of free licences

Updated Cloud giant's blunt instrument clobbers loyal resellers too

Microsoft sends partners hundreds of unwanted OPI: Other People's Invoices

Risky business: Azure cloud rains bills

Microsoft puts freshly borged FSLogix to work speeding up Office 365

It's a virtualized world and everyone's welcome. Even Citrix and VMware

How do you like dem Windows, Apple? July opening for Microsoft's first store in Blighty

High Street help with those Blue Screens of Death

Microsoft wakes up, stretches, remembers: Oh yeah, we do Windows too. And lo, SQL Server 2019 Windows-based container emerges

Also: Still rocking SQL Server 2008? The end is near

Azure flock can stop faffing over bastion hosts: Microsoft has made it noob-friendly

PaaS the parcel: Click-and-forget fortification of Redmond's cloud

Headsup for those managing Windows 10 boxen: Microsoft has tweaked patching rules

One category to rule them all? Er, maybe not...

Microsoft throws lifeline to .NET orphans in the brave new Core world

It is acronym Monday as WCF and WF get OSS projects

Devs slam Microsoft for injecting tech-support scam ads into their Windows Store apps

Redmond kinda just shrugs after advertising systems sling scareware pop-ups at users

Now you can have a twist of 2019 in your 2012: Microsoft goes back to the future with Edge on Windows 7/8

It looks like your OS goes out of support in seven months. Would you like a new browser?