September 12th, 2017

.NET Framework September 2017 Security and Quality Rollup

Rich Lander [MSFT]
Program Manager

Last Updated: 2017.09.21.

Today, we are releasing the September 2017 Security and Quality Rollup and Security Only Update.

This update applies to Windows 7 and later client versions and Windows Server 2008 and later server versions.

This update has known issues. Please see them at the bottom of the update.

Security

This release contains the following security changes.

CVE-2017-8759 | .NET Framework Remote Code Execution Vulnerability

A remote code execution vulnerability exists when Microsoft .NET Framework processes untrusted input. An attacker who successfully exploited this vulnerability in software using the .NET framework could take control of an affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

To exploit the vulnerability, an attacker would first need to convince the user to open a malicious document or application. The security update addresses the vulnerability by correcting how .NET validates untrusted input.

More Information: CVE-2017-8759

Quality and Reliability

This release contains the following quality and reliability improvements.

ASP.NET

  • Values added to System.Web.Cache expire immediately, with .NET Framework 4.7. [452228]
  • ASP.NET site running on Sitefinity broken, with .NET Framework 4.7. [457739]

CLR

  • CRWLock::StaticAcquireWriterLock() never returns if Int32.MaxValue number of ReaderWriterLock objects are created, with .NET Framework 3.5. [242568]
  • Crash in CLR assembly metadata reader. [367294]
  • .NET remoting IPC listener thread exits and leaves an orphaned IPCServerchannel. [454409]
  • Silent bad codegen when optimizing expression. [460765]
  • Crash in Visual Studio due to race in CLR assembly loader. [462762]
  • Runtime underallocates arrays by one element in rare cases when jitting large methods. [463604]
  • AppContext feature opt-in/out not functioning correctly. [469020]

Management

  • Reboot method of Win32_OperatingSystem has Privilege not held exception [441901]

Networking

  • HTTPWebRequest times out when switching to TLS after installing update KB4019112. [465796]

WCF

  • NetTcp with X509Certificates using SslStream uses the default TLS version as the OS, with .NET Framework 4.7. [451528]

Windows Forms

  • Excessive object creation in a performance-critical code-path leading to performance regressions and/or displaying empty UI and/or exhausting GDI+ handles. [452048]
  • Multi-Mon support: Controls with non-default anchoring are moved around the screen when scaling is changed [462872].**

WPF

  • Application crash due to call into DWrite. [453529]*
  • WPF consumes high % of CPU in Visual Studio when console session not active. [391184]*
  • WPF fails to load resources if two versions of the same assembly are loaded. [378607]***
  • Visual Studio fails due to “Unable to load DLL ‘PenIMC.dll’” error. [452476]***
  • TargetFrameworkName is null with mixed mode application. [425074]***
  • Event leak with WPF application on touch screen monitors on Windows 10. [434946]***

 

Note: Some fixes will be available at a later date. See the legend below:

*     This fix will be made available for Windows 10 in October. **   This fix will be made available for Windows 10 1607 (Anniversary Update) in October. *** This fix will be made available for Windows 10 1703 (Creators Update) in October.

Note: Fixes are not always available for all Windows versions at the same time. This situation is noted where appropriate, and where the information is available, a release date is provided.

Note: Additional information on these improvements is not available. The VSTS bug number provided with each improvement is a unique ID that you can give Microsoft Customer Support, include in StackOverflow comments or use in web searches.

Getting the Update

The Security and Quality Rollup is available via Windows Update, Windows Server Update Services, Microsoft Update Catalog, and Docker.

Microsoft Update Catalog

You can get the update via the Microsoft Update Catalog. For Windows 10, .NET Framework updates are part of the Windows 10 Monthly Rollup.

Product Version Security and Quality Rollup KB Security Rollup KB
Windows 10 1703 (Creators Update) Catalog 4038788 N/A
.NET Framework 4.7 4038788 N/A
.NET Framework 3.5 4038788 N/A
Windows 10 1607 (Anniversary Update) Windows Server 2016 Catalog 4038782 N/A
.NET Framework 4.6.2, 4.7 4038782 N/A
.NET Framework 3.5 4038782 N/A
Windows 10 1511 Catalog 4038783 N/A
.NET Framework 4.6.1 4038783 N/A
.NET Framework 3.5 4038783 N/A
Windows 10 1507 Catalog 4038781 N/A
.NET Framework 4.6 4038781 N/A
.NET Framework 3.5 4038781 N/A
Windows 8.1 Windows RT 8.1 Windows Server 2012 R2 Catalog 4041085 Catalog 4041092
.NET Framework 3.5 4040981 4040967
.NET Framework 4.5.2 4040974 4040958
.NET Framework 4.6, 4.6.1, 4.6.2, 4.7 4040972 4040956
Windows Server 2012 Catalog 4041084 Catalog 4041091
.NET Framework 3.5 4040979 4040965
.NET Framework 4.5.2 4040975 4040959
.NET Framework 4.6 4040971 4040955
Windows 7 Windows Server 2008 R2 Catalog 4041083 Catalog 4041090
.NET Framework 3.5.1 4040980 4040966
.NET Framework 4.5.2 4040977 4040960
.NET Framework 4.6, 4.6.1, 4.6.2, 4.7 4040973 4040957
Windows Server 2008 Catalog 4041086 Catalog 4041093
.NET Framework 2.0 4040978 4040964
.NET Framework 4.5.2 4040977 4040960
.NET Framework 4.6 4040973 4040957

Docker Images

The following Docker container images have been updated as part of this release.

Known Issues

This release has the following known issues.

WPF Rendering in a Windows Service

After you install this update on the .NET Framework 4.6, 4.6.1, 4.6.2, and 4.7, you may experience rendering issues in Windows Presentation Foundation (WPF) applications that use WPF types in a Windows service. For more information, see KB 4043601.

Incorrect text in .NET Framework Setup

  • .NET Framework versions: 4.5.2
  • Windows versions: Windows 7, Windows Server 2008, Windows Server 2008 R2
  • Affected KBs: KB4040960, KB4040977

When you apply this update on non-English locale systems, you may notice some pseudo localized characters instead of localized content in the interactive setup. This is a non-impacting, UI-only, setup issue that does not affect the deployment result or functionality of the update contents. Please apply this update to help secure your computer against vulnerabilities and the issues that are addressed by this update. For more information, see: KB 4043564.

Previous Monthly Rollups

The last few .NET Framework Monthly updates are listed below for your convenience:

Category
.NET

Author

Rich Lander [MSFT]
Program Manager

Richard Lander is a Principal Program Manager on the .NET Core team. He works on making .NET Core work great in memory-limited Docker containers, on ARM hardware like the Raspberry Pi, and enabling GPIO programming and IoT scenarios. He is part of the design team that defines new .NET runtime capabilities and features. He enjoys British rock and Doctor Who. He grew up in Canada and New Zealand.

0 comments

Discussion are closed.