Microsoft has released a security alert outlining a vulnerability with its web server technology that, if exploited, could block or slow down the entire system.
The denial of service (DoS) issue, first detected by F5 Networks' Gal Goldshtein, affects HTTP/2 connections to the Microsoft's Internet Information Services (IIS) platform, built for use with the Windows NT operating system.
17 common Windows 10 problems and how to fix them What to do if you're still running Windows 7 How to switch from Windows 10 to Linux
Malicious HTTP/2 requests can be sent to a Windows Server running IIS, which would lead to the systems CPU usage to spike to 100% until the malicious connections are killed by IIS, the firm outlined in its advisory published yesterday.
"The HTTP/2 specification allows clients to specify any number of SETTINGS frames with any number of SETTINGS parameters," the security alert said.
"In some situations, excessive settings can cause services to become unstable and may result in a temporary CPU usage spike until the connection timeout is reached and the connection is closed."
Microsoft has not identified any mitigations or workaround as of yet, but are advising users to install a February 'non-security update', and review a 'knowledge base article', which at the time of writing links to a 404 page-not-found error message.
The firm has also attempted to mitigate the vulnerability by giving users the functionality to define thresholds on settings parameters included in an HTTP/2 request.
After patching their systems with recently-released cumulative updates, Microsoft added, system administrators can customise the HTTP/2 settings threshold and prevent the bug from slowing down or blocking their IIS web services.
Microsoft has had to contend with a number of high profile vulnerabilities recently, especially during the rollout of major upgrades to its Windows 10 operating system. This has led to the firm already commencing early beta testing for a major update due in 2020, much earlier than the process would normally begin.
-
Asus ZenScreen Fold OLED MQ17QH reviewReviews A stunning foldable 17.3in OLED display – but it's too expensive to be anything more than a thrilling tech demo
-
How the UK MoJ achieved secure networks for prisons and offices with Palo Alto NetworksCase study Adopting zero trust is a necessity when your own users are trying to launch cyber attacks
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Billions of IoT devices will need to be secured in the next four years – zero trust could be the key to successNews Researchers have warned more than 28 billion IoT devices will need to be secured by 2028 as attacks on connected devices surge.
-
Cisco claims new smart switches provide next-level perimeter defenseNews Cisco’s ‘security everywhere’ mantra has just taken on new meaning with the launch of a series of smart network switches.
-
Five Eyes cyber agencies issue guidance on edge device vulnerabilitiesNews Cybersecurity agencies including the NCSC and CISA have issued fresh guidance on edge device security.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
