January 9th, 2018

.NET Framework January 2018 Security and Quality Rollup

Rich Lander [MSFT]
Program Manager

Updated: January 25, 2018

Today, we are releasing the January 2018 Security and Quality Rollup.

An issue with the January 2018 Monthly Rollup was found on Windows 7 and Windows Server 2008 R2 if .NET Framework 4.7.1 was already installed. It has been resolved. The download links for these Windows versions have been updated in the table below. A fixit tool has also be released to fix affected machines. See .NET Framework January 2018 Rollup Known Issue KB4074906 – “TypeInitializationException” or “FileFormatException” error in WPF applications for more information.

See .NET Framework 4.7.1 is available on Windows Update, WSUS and MU Catalog! for separately available reliability updates for the .NET Framework 4.7.1.

Security

CVE-2018-0786 – Security Feature Bypass in X509 Certificate Validation

CVE-2018-0786 – A security feature bypass vulnerability exists when Microsoft .NET Framework (and .NET Core) components do not completely validate certificates.

An attacker could present a certificate that is marked invalid for a specific use, but the component uses it for that purpose. This action disregards the Enhanced Key Usage taggings.

The security update addresses the vulnerability by helping to ensure that .NET Framework (and .NET Core) components completely validate certificates.

CVE-2018-0764 – Denial of Service when parsing XML documents

CVE-2018-0764 – A Denial of Service vulnerability exists when .NET Framework, and .NET core, improperly process XML documents. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to a .NET(or .NET core) application.

The update addresses the vulnerability by correcting how a .NET, and .NET core, applications handles XML document processing.

Quality and Reliability

This release contains no new quality and reliability improvements.

Getting the Update

The Security and Quality Rollup is available via Windows Update, Windows Server Update Services, Microsoft Update Catalog, and Docker.

Microsoft Update Catalog

You can get the update via the Microsoft Update Catalog. For Windows 10, .NET Framework updates are part of the Windows 10 Monthly Rollup.

Product Version Security and Quality Rollup KB Security-only Update KB
Windows 10 1709 (Fall Creators Update) Catalog 4056892 N/A
.NET Framework 3.5 4056892 N/A
.NET Framework 4.7.1 4056892 N/A
Windows 10 1703 (Creators Update) Catalog 4056891 N/A
.NET Framework 3.5 4056891 N/A
.NET Framework 4.7, 4.7.1 4056891 N/A
Windows 10 1607 (Anniversary Update) Catalog 4056890 N/A
.NET Framework 3.5 4056890 N/A
.NET Framework 4.6.2, 4.7 4056890 N/A
Windows 10 1511 Catalog 4056888 N/A
.NET Framework 3.5 4056888 N/A
.NET Framework 4.6.1, 4.6.2 4056888 N/A
Windows 10 1507 Catalog 4056893 N/A
.NET Framework 3.5 4056893 N/A
.NET Framework 4.6, 4.6.1, 4.6.2 4056893 N/A
Windows 8.1 Windows RT 8.1 Windows Server 2012 R2 Catalog 4055266 Catalog 4055271
.NET Framework 3.5 4054999 4054177
.NET Framework 4.5.2 4054993 4054170
.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 4055001 4054182
Windows Server 2012 Catalog 4055265 Catalog 4055270
.NET Framework 3.5 4054997 4054175
.NET Framework 4.5.2 4054994 4054171
.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 4055000 4054181
Windows 7 Windows Server 2008 R2 Catalog 4055532 Catalog 4055269
.NET Framework 3.5.1 4054998 4054176
.NET Framework 4.5.2 4054995 4054172
.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 4074880 4054183
Windows Server 2008 Catalog 4055267 Catalog 4055272
.NET Framework 2.0, 3.0 4054996 4054174
.NET Framework 4.5.2 4054995 4054172
.NET Framework 4.6 4055002 4054183

Known Issue

An issue has been found in the .NET Framework January 2018 Security and Quality Rollup (KB 4055002), applicable to .NET Framework 4.7.1 installed on either Windows 7 and Windows Server 2008 R2. The .NET team has fixed the issue and re-released the January 2018 Monthly Rollup as KB 4074880.

See .NET Framework January 2018 Rollup Known Issue KB4074906 – “TypeInitializationException” or “FileFormatException” error in WPF applications for more information.

Docker Images

Docker images have been updated as part of today’s release (actually, a few days ago).

Note: Look at the “Tags” view in each repository to see the updated Docker image tags.

Note: Significant changes have been made with Docker images recently. Please look at .NET Docker Announcements for more information.

Previous Monthly Rollups

The last few .NET Framework Monthly updates are listed below for your convenience:

Other Updates:

Category
.NET

Author

Rich Lander [MSFT]
Program Manager

Richard Lander is a Principal Program Manager on the .NET Core team. He works on making .NET Core work great in memory-limited Docker containers, on ARM hardware like the Raspberry Pi, and enabling GPIO programming and IoT scenarios. He is part of the design team that defines new .NET runtime capabilities and features. He enjoys British rock and Doctor Who. He grew up in Canada and New Zealand.

0 comments

Discussion are closed.