New security advisory by Microsoft addresses HTTP/2 vulnerability in IIS web servers

• The vulnerability can cause a CPU usage spike upto 100 percent if abused by malicious HTTP/2 requests sent to a Windows server running IIS.
• To resolve this, Microsoft has recommended installing the updates released this month.

Internet Information Services (IIS), an extensible web server by Microsoft is affected by a bug that allows malicious HTTP/2 requests to severely affect its performance. These server requests could gradually increase the CPU usage to 100 percent for a Windows server running IIS.

In a security advisory released yesterday, Microsoft has addressed this issue in detail. It has mentioned that Windows servers running IIS are vulnerable. The tech giant has addressed this bug through its 14 updates released for Windows OS and Windows servers.

New threshold setting to prevent abuse

Micrsoft explained the issue in the advisory stating, “The HTTP/2 specification allows clients to specify any number of SETTINGS frames with any number of SETTINGS parameters. In some situations, excessive settings can cause services to become unstable and may result in a temporary CPU usage spike until the connection timeout is reached and the connection is closed."

Furthermore, it added that, "To address this issue, Microsoft has added the ability to define thresholds on the number of HTTP/2 SETTINGS included in a request. These thresholds must be defined by the IIS administrator, they are not preset by Microsoft.”

HTTP/2, which is a revamped version of the popular HTTP, has a number of advantages over the latter. Its ability to send multiple requests in a TCP connection leads to a faster website response. In addition, it follows the binary protocol instead of text protocol, thus ensuring effective network resource utilization. All these advantages make it attractive for attackers to deploy web-based attacks such as denial-of-service.