IIS Vulnerability Can Make CPU Usage To Spike: Microsoft Scrambles For A Fix

Microsoft has released a security alert outlining a vulnerability with its IIS (Internet Information Services) servers that, if exploited, could block or slow down the entire system.

To mitigate the issue, Microsoft Security Response Center published a security advisory about a denial of service (DoS) that affected the company's web server technology.

According to Microsoft, there are circumstances in which IIS servers processing HTTP/2 requests can cause CPU usage to spike to 100 percent.

That until the malicious connections are killed by IIS.

Microsoft said that its issue impacts IIS servers that were shipped with Windows 10 and Windows Server 2016, describing it as follows:

"The HTTP/2 specification allows clients to specify any number of SETTINGS frames with any number of SETTINGS parameters. In some situations, excessive settings can cause services to become unstable and may result in a temporary CPU usage spike until the connection timeout is reached and the connection is closed."

Initially, Microsoft has not identified any mitigations or workaround, but is advising users to install a February 'non-security update'.

This adds the ability to define thresholds on the number of SETTINGS parameters included in an HTTP/2 request.

With the update, IIS server administrators can customize the HTTP/2 SETTINGS threshold to prevent the bug from freezing IIS web services.

"Thresholds must be defined by the IIS administrator," the company said, "they are not preset by Microsoft."

Microsoft IIS updates
Microsoft recommends all users to install these February non-security updates

HTTP/2 is a major revision of the HTTP network protocol used by the World Wide Web, introduced in 2015.

It was derived from the earlier experimental SPDY protocol, originally developed by Google, and was developed by the Hypertext Transfer Protocol working group httpbis of the Internet Engineering Task Force.

HTTP/2 is the first new version of HTTP since HTTP 1.1, which was standardized in 1997.

With it becoming the standard for the modern web, the protocol is supported by Chrome, Opera, Firefox, Internet Explorer 11, Safari, Amazon Silk, and Edge browsers.

Almost all major browsers had added HTTP/2 support by the end of 2015.

As for this bug, it adds to a long list of high profile vulnerabilities, that happened to be discovered after the rollout of major upgrades of Microsoft Windows 10 operating system.

The bug was found by Gal Goldshtein, a software engineer with F5 Networks. According to Microsoft's security advisory, there are no other public details available about this vulnerability.