April 11th, 2017

.NET Framework April 2017 Security and Quality Rollup

Rich Lander [MSFT]
Program Manager

Update (2017/05/15): Added Windows 10 entries to KB table.

Update (2017/05/09): Known issue information added for the release.

Update (2017/04/20): Known issue information added for the release.

Today, we are releasing a new Security and Quality Rollup and Security Only Update for the .NET Framework. You can read the April 2017 Security Updates Release Notes to learn about all changes being released today.

Known issue with the release: “Privilege not held” error with PowerShell “stop-computer” command: Workaround after April 2017 security updates from CVE-2017-0160.

Security

Microsoft Common Vulnerabilities and Exposures CVE17-0160

A remote code execution vulnerability exists when the Microsoft .NET Framework fails to properly validate input before loading libraries. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. To exploit the vulnerability, an attacker would first need to access the local system with the ability to execute a malicious application. The security update addresses the vulnerability by correcting how .NET validates input on library load.

Note: You can also search for the security update at Security TechCenter. Search for “CVE” 17-0160.

Quality and Reliability

There are no quality and reliability changes this month.

Getting the Update

The Security and Quality Rollup is available via Windows Update, Windows Server Update Services and Microsoft Update Catalog. The Security Only Update is available via Windows Server Update Services and Microsoft Update Catalog. The Windows 10 updates are integrated with the Windows 10 Monthly Update, available via Windows Update.

Docker Images

The Windows ServerCoreIIS.NET Framework, and ASP.NET Docker images have been updated to include the Monthly Rollup. Pulling the latest image will update your local Docker image cache.

Downloading KBs from Microsoft Update Catalog

See the table below to learn about version applicability and more detailed release-specific information. See .NET Framework Monthly Rollups Explained for an explanation on how to use this table to download patches from Microsoft Update Catalog.

Product Version Security and Quality Rollup KB Security Rollup KB
Windows 10 Creators Update Catalog 4015583 N/A
.NET Framework 4.7 4015583
.NET Framework 3.5 4015583
Windows 10 Anniversary Update Windows Server 2016 Catalog 4015217 N/A
.NET Framework 4.6.2 4015217
.NET Framework 3.5 4015217
Windows 10 1511 Catalog 4015219 N/A
.NET Framework 4.6.1 4015219
.NET Framework 3.5 4015219
Windows 10 1507 Catalog 4015221 N/A
.NET Framework 4.6 4015221
.NET Framework 3.5 4015221
Windows 8.1 Windows Server 2012 R2 Catalog 4014983 Catalog 4014987
.NET Framework 4.6.2 4014546 4014550
.NET Framework 4.6, 4.6.1 4014551 4014556
.NET Framework 4.5.2 4014555 4014562
.NET Framework 3.5 4014567 4014574
Windows Server 2012 Catalog 4014982 Catalog 4014986
.NET Framework 4.6.2 4014545 4014549
.NET Framework 4.6, 4.6.1 4014548 4014560
.NET Framework 4.5.2 4014557 4014564
.NET Framework 3.5 4014563 4014572
Windows 7 Windows Server 2008 R2 Catalog 4014981 Catalog 4014985
.NET Framework 4.6.2 4014547 4014552
.NET Framework 4.6, 4.6.1 4014553 4014558
.NET Framework 4.5.2 4014559 4014566
.NET Framework 3.5.1 4014565 4014573
Windows Vista Windows Server 2008 Catalog 4014984 Catalog 4014988
.NET Framework 4.6 4014553 4014558
.NET Framework 4.5.2 4014559 4014566
.NET Framework 2.0 4014561 4014571

See .NET Framework Deployment tables for detailed deployment information on the release.

Known Issues

The April 2017 Monthly Update contained a bug that caused the PowerShell Stop-Computer command to stop correctly functioning. This bug has since been fixed. You can get the fix in the following ways:

Using Windows 10

Using an earlier version of Windows

  • Wait for the next .NET Framework monthly update, which will include this fix. This approach is recommended if you are not experiencing this problem.
  • Install the specific fix for this issue, listed below.
Windows Version .NET Version KB Number
Windows 8.1 Windows Server 2012 R2 .NET Framework 4.6.2 4020499
Windows 8.1 Windows Server 2012 R2 .NET Framework 4.6 and 4.6.1 4020502
Windows 8.1 Windows Server 2012 R2 .NET Framework 4.5.2 4020505
Windows 8.1 Windows Server 2012 R2 .NET Framework 3.5 4020514
Windows Server 2012 .NET Framework 4.6.2 4020498
Windows Server 2012 .NET Framework 4.6 and 4.6.1 4020501
Windows Server 2012 .NET Framework 4.5.2 4020506
Windows Server 2012 .NET Framework 3.5 4020512
Windows 7 Windows Server 2008 R2 .NET Framework 4.6.2 4020500
Windows 7 Windows Server 2008 R2 .NET Framework 4.6 and 4.6.1 4020503
Windows 7 Windows Server 2008 R2 .NET Framework 4.5.2 4020507
Windows 7 Windows Server 2008 R2 .NET Framework 3.5.1 4020513
Windows Server 2008 .NET Framework 4.6 4020503
Windows Server 2008 .NET Framework 4.5.2 4020507
Windows Server 2008 .NET Framework 2.0 Service Pack 2 4020511

Note that the .NET Framework 4.7 contains the fix. If you are using Windows 10 Creators Update, you will still need to install the May 2017 Update to get this fix.

Previous Monthly Rollups

The last couple .NET Framework Rollup updates are listed below for your convenience:

Note: Previously released security and quality updates are included in today’s release.

More Information

You can read the .NET Framework Monthly Rollups Explained to learn more about how the .NET Framework is updated.

Category
.NET

Author

Rich Lander [MSFT]
Program Manager

Richard Lander is a Principal Program Manager on the .NET Core team. He works on making .NET Core work great in memory-limited Docker containers, on ARM hardware like the Raspberry Pi, and enabling GPIO programming and IoT scenarios. He is part of the design team that defines new .NET runtime capabilities and features. He enjoys British rock and Doctor Who. He grew up in Canada and New Zealand.

0 comments

Discussion are closed.