14 DAY TRIAL // A security bug that Microsoft has recently acknowledged can be resolved by simply installing the latest Windows 10 non-security updates.
If this sounds awkward, it’s because it is, especially because Microsoft more or less confirms that the latest non-security cumulative updates for Windows 10 and Windows Servers also include security-related improvements.
First and foremost, an advisory published by Microsoft earlier this week reveals that a bug in Windows 10 and Windows Server can lead to a spike in CPU usage.
“Microsoft is aware of a potential condition which can be triggered when malicious HTTP/2 requests are sent to a Windows Server running Internet Information Services (IIS). This could temporarily cause the system CPU usage to spike to 100% until the malicious connections are killed by IIS,” the company says.
Windows 10 version 1803 and older and Windows Server 2016 are all affected by the problem.
February 2019 updates
However, Microsoft says that users are recommended install the February non-security update to resolve the bug.
The company published two different sets of cumulative updates this month. The first one went live on February 12 as part of the Patch Tuesday cycle and included security fixes and the second one was released on February 19 for all Windows 10 versions except for 1809 and was specifically focused on non-security improvements.
Surprisingly, Microsoft says this second rollout can help you deal with a potential attack, even though no security fixes were originally believed to be included.
In the guidance published only a few hours ago, Microsoft explains that a manual workaround also exists and it needs to be applied by system administrators.
“To address this issue, Microsoft has provided an ability to define limits on the number of HTTP/2 settings parameters allowed over a connection. These limits are not preset by Microsoft and must be defined by system administrator after reviewing the HTTP/2 protocol and their environment requirements,” it says.
Via GHacks