[ FEB 22, 2019 ]
The Microsoft Security Response Center published yesterday a security advisory about a denial of service (DOS) issue impacting IIS (Internet Information Services), Microsoft’s web server technology.
According to Microsoft, IIS servers shipped with Windows 10 and Windows Server 2016 are impacted by a vulnerability when processing HTTP/2 requests.
HTTP/2 is the latest version of the HTTP protocol that underpins what’s known as the World Wide Web (www), the part of the internet that regular users can access in their browsers.
Microsoft says that there are circumstances in which IIS servers processing HTTP/2 requests can cause CPU usage to spike to 100 percent, effectively blocking or slowing down the entire system.
Cyber Security Tips:
- Cumulative updates KB4487006, KB4487011, KB4487021, and KB4487029 were released two days ago to address the IIS DOS bug.
- After applying the updates, IIS administrators will be able to customize the HTTP/2 SETTINGS threshold and prevent the bug from freezing IIS web services.