Microsoft publishes security alert on IIS bug that causes 100% CPU usage spikes

[ FEB 22, 2019 ]

The Microsoft Security Response Center published yesterday a security advisory about a denial of service (DOS) issue impacting IIS (Internet Information Services), Microsoft’s web server technology.

According to Microsoft, IIS servers shipped with Windows 10 and Windows Server 2016 are impacted by a vulnerability when processing HTTP/2 requests.

HTTP/2 is the latest version of the HTTP protocol that underpins what’s known as the World Wide Web (www), the part of the internet that regular users can access in their browsers.

Microsoft says that there are circumstances in which IIS servers processing HTTP/2 requests can cause CPU usage to spike to 100 percent, effectively blocking or slowing down the entire system.

Cyber Security Tips:

  • Cumulative updates KB4487006, KB4487011, KB4487021, and KB4487029 were released two days ago to address the IIS DOS bug.
  • After applying the updates, IIS administrators will be able to customize the HTTP/2 SETTINGS threshold and prevent the bug from freezing IIS web services.



Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at

Up ↑

%d bloggers like this: