.NET Framework February 2019 Security and Quality Rollup

Tara Overfield

February 13th, 20192 0

Updated: February 15, 2019

A new Advisory on February 2019 Security update for Windows 10 update 1809 has been released today for issues customers have reported with .NET 4.8 Preview and this security update for Windows 10 update 1809 installed.

Updated: February 14, 2019

Added the previously released previous release update information in quality and reliability for easier reference.

Yesterday, we released the February 2019 Security and Quality Rollup.

Security

CVE-2019-0613 – Remote Code Execution Vulnerability

This security update resolves a vulnerability in .NET Framework software if the software does not check the source markup of a file. An attacker who successfully exploits the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on by using administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts that have full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who have administrative user rights.

CVE-2019-0657 – Domain Spoofing Vulnerability

This security update resolves a vulnerability in certain .NET Framework APIs that parse URLs. An attacker who successfully exploits this vulnerability could use it to bypass security logic that’s intended to make sure that a user-provided URL belonged to a specific host name or a subdomain of that host name. This could be used to cause privileged communication to be made to an untrusted service as if it were a trusted service.

CVE-2019-0657

Quality and Reliability

This release contains the following previously released quality and reliability improvements, January 2019 Preview of Quality Rollup.

Getting the Update

The Security and Quality Rollup is available via Windows Update, Windows Server Update Services, Microsoft Update Catalog, and Docker.

Microsoft Update Catalog

You can get the update via the Microsoft Update Catalog. For Windows 10, .NET Framework updates are part of the Windows 10 Monthly Rollup.

The following table is for Windows 10 and Windows Server 2016+ versions.

Product Version	Security and Quality Rollup KB
Windows 10 1809 (October 2018 Update)	Catalog
Windows Server 2019	4483452
.NET Framework 3.5, 4.7.2	4483452
Windows 10 1803 (April 2018 Update)	Catalog 4487017
.NET Framework 3.5, 4.7.2	4487017
Windows 10 1709 (Fall Creators Update)	Catalog 4486996
.NET Framework 3.5, 4.7.1, 4.7.2	4486996
Windows 10 1703 (Creators Update)	Catalog 4487020
.NET Framework 3.5, 4.7, 4.7.1, 4.7.2	4487020
Windows 10 1607 (Anniversary Update)	Catalog
Windows Server 2016	4487026
.NET Framework 3.5, 4.6.2, 4.7, 4.7.1, 4.7.2	4487026
Windows 10 1507	Catalog 4487018
.NET Framework 3.5, 4.6, 4.6.1, 4.6.2	4487018

The following table is for earlier Windows and Windows Server versions.

Product Version	Security and Quality Rollup KB	Security Only Update KB
Windows 8.1 Windows RT 8.1 Windows Server 2012 R2	Catalog 4487080	Catalog 4487124
.NET Framework 3.5	Catalog 4483459	Catalog 4483484
.NET Framework 4.5.2	Catalog 4483453	Catalog 4483472
.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2	Catalog 4483450	Catalog 4483469
Windows Server 2012	Catalog 4487079	Catalog 4487122
.NET Framework 3.5	Catalog 4483456	Catalog 4483481
.NET Framework 4.5.2	Catalog 4483454	Catalog 4483473
.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2	Catalog 4483449	Catalog 4483468
Windows 7 SP1	Catalog	Catalog
Windows Server 2008 R2 SP1	4487078	4487121
.NET Framework 3.5.1	Catalog 4483458	Catalog 4483483
.NET Framework 4.5.2	Catalog 4483455	Catalog 4483474
.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2	Catalog 4483451	Catalog 4483470
Windows Server 2008	Catalog 4487081	Catalog 4487124
.NET Framework 2.0, 3.0	Catalog 4483457	Catalog 4483482
.NET Framework 4.5.2	Catalog 4483455	Catalog 4483474
.NET Framework 4.6	Catalog 4483451	Catalog 4483470

Docker Images

We are updating the following .NET Framework Docker images for today’s release:

Note: Look at the “Tags” view in each repository to see the updated Docker image tags.

Note: Significant changes have been made with Docker images recently. Please look at .NET Docker Announcements for more information.

Previous Monthly Rollups

The last few .NET Framework Monthly updates are listed below for your convenience:

Tara Overfield Senior Software Engineer, .NET Framework Servicing

2 comments

dean kenley March 7, 2019 10:43 am 0

We are having an issue that this update for Windows 10 1607 LTSB is not updating the system.dll file. Here is a clip for our Tenable.io scan for systems showing this error
Microsoft .NET Framework 3.5
The remote host is missing one of the following rollup KBs :

Cumulative
– 4487026

C:\windows\Microsoft.NET\Framework\v2.0.50727\system.dll has not been patched.
Remote version : 2.0.50727.8784
Should be : 2.0.50727.8803I have checked the csv file showing the files for KB4487026. It shows system.dll should be 2.0.50727.8803 but only for x86 platform and all of our 1607 LTSB systems are 64bit systems. I have checked the systems and they are showing KB4487026 is installed but the system.dll file is not updating. Any guidance would be appreciated.

Hach Technologies October 7, 2019 6:48 am 0

I need to unit test the class below.

What steps would I need to take to get the class into a test harness? and

what would be a few tests I could write ?

public class MyDatabase

{

  private System.Data.SqlClient.SqlConnection myConn;

  static string connString = "a valid connection string";



  public MyDatabase()

  {

    myConn = new System.Data.SqlClient.SqlConnection(connString);

  }



  public bool Connected

  {

        get { return (myConn.State == ConnectionState.Open); }

  }



  public void Connect()

  {

        myConn.Open();

  }



  public void Disconnect()

  {

chnologies
myConn.Close();

}

Thanks

Hach Technologies

http://hachtechnologies

Discussion is closed. Login to edit/delete existing comments.

dean kenley March 7, 2019 10:43 am 0

We are having an issue that this update for Windows 10 1607 LTSB is not updating the system.dll file. Here is a clip for our Tenable.io scan for systems showing this error
Microsoft .NET Framework 3.5
The remote host is missing one of the following rollup KBs :

Cumulative
– 4487026

C:\windows\Microsoft.NET\Framework\v2.0.50727\system.dll has not been patched.
Remote version : 2.0.50727.8784
Should be : 2.0.50727.8803I have checked the csv file showing the files for KB4487026. It shows system.dll should be 2.0.50727.8803 but only for x86 platform and all of our 1607 LTSB systems are 64bit systems. I have checked the systems and they are showing KB4487026 is installed but the system.dll file is not updating. Any guidance would be appreciated.
- Hach Technologies October 7, 2019 6:48 am 0
  I need to unit test the class below.
  
  What steps would I need to take to get the class into a test harness? and
  
  what would be a few tests I could write ?
  
  public class MyDatabase
  
  {
```
  private System.Data.SqlClient.SqlConnection myConn;

  static string connString = "a valid connection string";



  public MyDatabase()

  {

    myConn = new System.Data.SqlClient.SqlConnection(connString);

  }



  public bool Connected

  {

        get { return (myConn.State == ConnectionState.Open); }

  }



  public void Connect()

  {

        myConn.Open();

  }



  public void Disconnect()

  {
```
  chnologies
  myConn.Close();
```
  }
```
  }
  
  Thanks
  
  Hach Technologies
  
  http://hachtechnologies

.NET Framework February 2019 Security and Quality Rollup

Security

CVE-2019-0613 – Remote Code Execution Vulnerability

CVE-2019-0657 – Domain Spoofing Vulnerability

Quality and Reliability