The virtual number service will help to create and confirm any account on any site without using a real phone number to activate the account.
According to the tech giant, sending specially crafted HTTP / 2 requests can lead to a 100% jump in the machine’s CPU until IIS stops malicious connections.
“The HTTP / 2 specification allows clients to specify any number of SETTINGS frames with any number of SETTINGS parameters. In some situations, excessive settings can cause the services to become unstable and cause a temporary burst of CPU utilization until the connection timeout expires and the connection is closed, ”Microsoft said in a statement.
The vulnerability affects Windows 10, Windows Server, and Windows Server 2016. The February non-security updates released by Microsoft this week should resolve this issue by allowing IIS administrators to determine thresholds for the number of HTTP / 2 settings included in the request.
However, Microsoft noted that released updates do not define any default values, and IIS administrators must do this on their own. The knowledge base article, which should provide information on how to do this, was not available at the time of writing.
Microsoft pays tribute to Gal Goldstein of F5 Networks for reporting the vulnerability. It is worth noting that a similar flaw, tracked as CVE-2018-16844, was recently discovered by Goldstein in the nginx open source web server software.
“The lack of Microsoft IIS can cause serious problems for organizations using IIS for their corporate website or applications. Although Microsoft has developed a fix to fix this problem, the IT department still needs to configure IIS correctly so that the problem cannot be created. Microsoft, in particular, stated that they did not provide presets, and therefore solving the problem is more than just applying a fix, ”said Justin Jett, Audit and Compliance Director at Plixer.
“IT should use network analytics to view connections to their IIS servers to determine if they have connections to web servers that can cause these problems. Often these connections are long-lived, or the original connection is constantly repeated to cause a problem on the server. By looking at these metrics, IT teams can determine the source of DDoS. These types of problems can be resolved with the correct configuration. Network traffic analytics can help you understand where there might be configuration problems, so the system can be updated before serious problems such as DDoS attacks occur, ”Jett added.