Microsoft flags IIS flaw that could lead to 100% CPU usage spikes when exploited

The DoS vulnerability involves sending malicious HTTP/2 connections that can slow down or freeze users' systems

Photo of a Microsoft building with clouds in view

Microsoft has released a security alert outlining a vulnerability with its web server technology that, if exploited, could block or slow down the entire system.

The denial of service (DoS) issue, first detected by F5 Networks' Gal Goldshtein, affects HTTP/2 connections to the Microsoft's Internet Information Services (IIS) platform, built for use with the Windows NT operating system.

Malicious HTTP/2 requests can be sent to a Windows Server running IIS, which would lead to the systems CPU usage to spike to 100% until the malicious connections are killed by IIS, the firm outlined in its advisory published yesterday.

"The HTTP/2 specification allows clients to specify any number of SETTINGS frames with any number of SETTINGS parameters," the security alert said.

"In some situations, excessive settings can cause services to become unstable and may result in a temporary CPU usage spike until the connection timeout is reached and the connection is closed."

Microsoft has not identified any mitigations or workaround as of yet, but are advising users to install a February 'non-security update', and review a 'knowledge base article', which at the time of writing links to a 404 page-not-found error message.

The firm has also attempted to mitigate the vulnerability by giving users the functionality to define thresholds on settings parameters included in an HTTP/2 request.

After patching their systems with recently-released cumulative updates, Microsoft added, system administrators can customise the HTTP/2 settings threshold and prevent the bug from slowing down or blocking their IIS web services.

Microsoft has had to contend with a number of high profile vulnerabilities recently, especially during the rollout of major upgrades to its Windows 10 operating system. This has led to the firm already commencing early beta testing for a major update due in 2020, much earlier than the process would normally begin.

Featured Resources

How to be an MSP: Seven steps to success

Building your business from the ground up

Download now

The smart buyer’s guide to flash

Find out whether flash storage is right for your business

Download now

How MSPs build outperforming sales teams

The definitive guide to sales

Download now

The business guide to ransomware

Everything you need to know to keep your company afloat

Download now

Recommended

Cisco to acquire threat intelligence provider Kenna Security
Acquisition

Cisco to acquire threat intelligence provider Kenna Security

14 May 2021
What is Microsoft Edge? Everything you need to know
web browser

What is Microsoft Edge? Everything you need to know

14 May 2021
What is the Computer Misuse Act?
Policy & legislation

What is the Computer Misuse Act?

14 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
Dell XPS 17 (2021) review: A big laptop for big jobs
Laptops

Dell XPS 17 (2021) review: A big laptop for big jobs

10 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021