Hi Edward,

I just noticed that we had not yet replied to your message and did want to follow up on your concern.

The researchers did reach out to us here at the Microsoft Security Response Center, and we did investigate. Our analysis showed that this particular issue is not really a vulnerability in our product, but more an overall issue with the HTTP protocol. Addressing it is actually quite difficult.

This is a non-permanent Denial of Service- once the attacker stops, or the source address is blocked for instance on a firewall, the server will become available again. In such way, it's not really all that different from a traffic-based denial of service attack, which is currently a very common and relatively easy way to accomplish the same type of attack.

Due to this, we don't expect this issue to be used in widespread attacks. As another difficulty, this issue cannot be comprehensively defended against in web server software, whether it's Microsoft or another vendor.

We could theoretically change HTTP timer settings which would block this particular exploit, but an attacker could easily change the timing of his attack to render the HTTP server affected again.

As Wong Onn Chee and Tom Brennan mention in their presentation, we did respond to them that we are considering ways of making it easier for an administrator to implement changes to harden their infrastructure against these particular types of attack in the future. However, there is no direct way to make the HTTP protocol fully resistant, so we won't address this in a security update.

Thanks again for bringing this up on the list, and don't hesitate to let me know if you have further questions.

Cheers,

Maarten
Microsoft Security Response Center (MSRC)