• Microsoft: New non-security updates prevent attack on Win10 Servers running IIS — but there are no instructions

    Posted on February 21, 2019 at 07:51 CST by Comment in the Forums

    Now you know why I’m skeptical of the “optional non-security” description about the second monthly Win10 cumulative updates.

    Ends up that the patches are not “optional” (click Check for updates and see what happens) and, at least this month, for Servers running IIS, they’re not “non-security.”

    Case in point: Microsoft Security Advisory ADV190005 | Guidance to adjust HTTP/2 SETTINGS frames, released yesterday. From the Advisory:

    Microsoft is aware of a potential condition which can be triggered when malicious HTTP/2 requests are sent to a Windows Server running Internet Information Services (IIS). This could temporarily cause the system CPU usage to spike to 100% until the malicious connections are killed by IIS.

    The HTTP/2 specification allows clients to specify any number of SETTINGS frames with any number of SETTINGS parameters. In some situations, excessive settings can cause services to become unstable and may result in a temporary CPU usage spike until the connection timeout is reached and the connection is closed.

    To address this issue, Microsoft has added the ability to define thresholds on the number of HTTP/2 SETTINGS included in a request. These thresholds must be defined by the IIS administrator, they are not preset by Microsoft.

    The solution? Install this month’s second set of cumulative updates — the ones released earlier this week, KB 4487006, KB 4487011, KB 4487021, KB 4487029 — and then follow these instructions:

    Customers should review Knowledge Base Article 4491420 and take appropriate action.

    Except, well, golly, there is no KB 4491420.

    UPDATE: Microsoft published the instructions, Define thresholds on the number of HTTP/2 Settings parameters exchanged over a connection.

    Windows Patches/Security , , , , ,
DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    March 2025
    S M T W T F S
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    3031  

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.