back to article Welcome to the sunlit uplands of HTTP/2, where a naughty request can send Microsoft's IIS into a spin

Oops! Microsoft has published an advisory on a bug in its Internet Information Services (IIS) product that allows a malicious HTTP/2 request to send CPU usage to 100 per cent. An anonymous Reg reader tipped us off to the advisory, ADV190005, which warns that the condition can leave the system CPU usage pinned to the ceiling …

  1. alain williams Silver badge

    It's a bug ...

    as long as it is fixed in a shortish time, don't make too much of a fuss.

    1. bombastic bob Silver badge

      Re: It's a bug ...

      I was looking to snark all over it, but after reading the article, it's like "meh".

      Glad it's fixed, anyway.

      It's not like that 'Code Red' thing was, from (nearly) a couple o' decades ago, at any rate. That thing went unpatched for YEARS by end-users and created a LOT of intarweb traffic...

  2. Vince

    "and reboot"

    Actually no - a reboot OR just restart IIS - let's not make it out that it needs a reboot when it does not.

  3. This post has been deleted by its author

    1. Trixr

      Re: Not putting in default values is fine, ...

      Exactly. That min/max is pretty damn broad. They should have a reasonable default setting to kick off with. I can run a basic IIS server, but I'm afraid the fine detail of protocol implementations is beyond me. (And no, I'm not that interested in getting to that level of detail either - I'm a mechanic, not an engineer.)

      Also, I'm surprised it's not a security update, considering the flaw can DDOS your system. I get it's a "bug", but surely security flaws are also "bugs". I say this from a general philosophy of being cautious when applying feature updates to servers, while always applying security updates in a timely fashion - I know I'm not the only one.

      1. Tomato Krill

        Re: Not putting in default values is fine, ...

        Can DOS but not compromise, important distinction in terms of how quickly one might rush to patch on a Friday afternoon ..

    2. Anonymous Coward
      Anonymous Coward

      Re: Not putting in default values is fine, ...

      For Http2MaxSettingsPerFrame, given the minimum value is 7 and maximum settings options are 6, I guess that means set it at the minimum or just above in case of future enhancements? Sounds dangerous if thats the case - surely IIS should set based on supported SETTINGS options and allow sites to overide if required

      There's also Http2MaxSettingsPerMinute which seems friendlier - 7 x number of expected clients per minute and I assume bump up or down if you see issue. I would have thought MS could calculate a value based on CPU speed which could then be overridden by sites that needed to adjust it rather than leaving it as an exercise for the reader...

  4. Christian Berger


    HTTP/2 is a highly complex protocol so it's very unlikely we'll see a fully correct implementation within the next few decades. On the other hand, laboratory tests only show about 30% performance improvement compared to unoptimized normal HTTP.

    If I was a secret service I'd do my best to promote HTTP/2 as it'll mean lots of bugs and therefore many exploitable security issues. Any kind of complexity increase helps those who want to exploit it.

  5. Ross 12

    Ever get the feeling that HTTP/2 tries to kill too many birds with one stone?

  6. Smartypantz

    Easy fix ....

    Run IIS on Windows (This comment "might" contain sarcasm) and your CPU will already be at 100% for most of the time, handling "Windows Update"/"Feature change-fad of the month" "in the background", (you can continue "working") ;-)

    "Aarrgghh" ...... "!"

  7. bradmca

    Now I cannot remotely connect

    FFS.... I put this on and now RDP disconnects after "configuring remote session" fux sake thanks alot.

    1. PestXs

      Re: Now I cannot remotely connect

      What settings did you use?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like