back to article Welcome to the sunlit uplands of HTTP/2, where a naughty request can send Microsoft's IIS into a spin

Oops! Microsoft has published an advisory on a bug in its Internet Information Services (IIS) product that allows a malicious HTTP/2 request to send CPU usage to 100 per cent. An anonymous Reg reader tipped us off to the advisory, ADV190005, which warns that the condition can leave the system CPU usage pinned to the ceiling …

  1. alain williams Silver badge

    It's a bug ...

    as long as it is fixed in a shortish time, don't make too much of a fuss.

    1. bombastic bob Silver badge

      Re: It's a bug ...

      I was looking to snark all over it, but after reading the article, it's like "meh".

      Glad it's fixed, anyway.

      It's not like that 'Code Red' thing was, from (nearly) a couple o' decades ago, at any rate. That thing went unpatched for YEARS by end-users and created a LOT of intarweb traffic...

  2. Vince

    "and reboot"

    Actually no - a reboot OR just restart IIS - let's not make it out that it needs a reboot when it does not.

  3. Pascal

    Not putting in default values is fine, ...

    But it would be really helpful to have some indication as to what is considered normal and what is considered excessive or for that matter where / how to log the # of settings parameters per frame and/or # of settings frames exchanged with a client.

    We're left with this:

    Name: Http2MaxSettingsPerFrame

    Type: DWORD

    Data: Supported min value 7 and max 2796202. Out of range values trimmed to corresponding min/max end value.

    And no clue whatsoever on picking a reasonable value.

    As much as I like learning protocols, fixing a potential DoS situation should come with better guidelines than "go learn everything about http/2 and settings/frames" :(

    1. Trixr Bronze badge

      Re: Not putting in default values is fine, ...

      Exactly. That min/max is pretty damn broad. They should have a reasonable default setting to kick off with. I can run a basic IIS server, but I'm afraid the fine detail of protocol implementations is beyond me. (And no, I'm not that interested in getting to that level of detail either - I'm a mechanic, not an engineer.)

      Also, I'm surprised it's not a security update, considering the flaw can DDOS your system. I get it's a "bug", but surely security flaws are also "bugs". I say this from a general philosophy of being cautious when applying feature updates to servers, while always applying security updates in a timely fashion - I know I'm not the only one.

      1. Tomato Krill

        Re: Not putting in default values is fine, ...

        Can DOS but not compromise, important distinction in terms of how quickly one might rush to patch on a Friday afternoon ..

    2. Anonymous Coward
      Anonymous Coward

      Re: Not putting in default values is fine, ...

      For Http2MaxSettingsPerFrame, given the minimum value is 7 and maximum settings options are 6, I guess that means set it at the minimum or just above in case of future enhancements? Sounds dangerous if thats the case - surely IIS should set based on supported SETTINGS options and allow sites to overide if required

      There's also Http2MaxSettingsPerMinute which seems friendlier - 7 x number of expected clients per minute and I assume bump up or down if you see issue. I would have thought MS could calculate a value based on CPU speed which could then be overridden by sites that needed to adjust it rather than leaving it as an exercise for the reader...

  4. Christian Berger Silver badge


    HTTP/2 is a highly complex protocol so it's very unlikely we'll see a fully correct implementation within the next few decades. On the other hand, laboratory tests only show about 30% performance improvement compared to unoptimized normal HTTP.

    If I was a secret service I'd do my best to promote HTTP/2 as it'll mean lots of bugs and therefore many exploitable security issues. Any kind of complexity increase helps those who want to exploit it.

  5. Ross 12

    Ever get the feeling that HTTP/2 tries to kill too many birds with one stone?

  6. Smartypantz

    Easy fix ....

    Run IIS on Windows (This comment "might" contain sarcasm) and your CPU will already be at 100% for most of the time, handling "Windows Update"/"Feature change-fad of the month" "in the background", (you can continue "working") ;-)

    "Aarrgghh" ...... "!"

  7. bradmca

    Now I cannot remotely connect

    FFS.... I put this on and now RDP disconnects after "configuring remote session" fux sake thanks alot.

    1. PestXs

      Re: Now I cannot remotely connect

      What settings did you use?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019