May 9th, 2017

.NET Framework May 2017 Security and Quality Rollup

Rich Lander [MSFT]
Program Manager

Last Updated (2015/05/31)

Today, we are releasing a new Security and Quality Rollup and Security Only Update for the .NET Framework.

Please see .NET Core May 2017 Updates for the .NET Core updates being released today.

Security

Microsoft Common Vulnerabilities and Exposures CVE-2017-0248

A security feature bypass vulnerability exists when Microsoft .NET Framework (and .NET Core) components do not completely validate certificates.

An attacker could present a certificate that is marked invalid for a specific use, but the component uses it for that purpose. This action disregards the Enhanced Key Usage extensions.

The security update addresses the vulnerability by helping to ensure that .NET Framework (and .NET Core) components completely validate certificates.

To learn more about this vulnerability, see Microsoft Common Vulnerabilities and Exposures CVE-2017-0248.

This update also contains security-enhancing fixes to the Windows Presentation Framework PackageDigitalSignatureManager component’s ability to sign packages with the SHA256 hash algorithm.

Quality and Reliability

There are no quality and reliability changes this month.

Getting the Update

The Security and Quality Rollup is available via Windows Update, Windows Server Update Services and Microsoft Update Catalog. The Security Only Update is available via Windows Server Update Services and Microsoft Update Catalog. The Windows 10 updates are integrated with the Windows 10 Monthly Update.

Docker Images

The Windows ServerCore and .NET Framework Docker images have also been updated. Pulling the latest image will update your local Docker image cache.

Downloading KBs from Microsoft Update Catalog

You can learn more about the releases from the table below. See .NET Framework Monthly Rollups Explained for an explanation on how to use this table to download patches from Microsoft Update Catalog.

Product Version Security and Quality Rollup KB Security Rollup KB
Windows 10 Creators Update Catalog 4016871 N/A
.NET Framework 4.7 4016871
.NET Framework 3.5 4016871
Windows 10 Anniversary Update Windows Server 2016 Catalog 4019472 N/A
.NET Framework 4.6.2 4019472
.NET Framework 3.5 4019472
Windows 10 1511 Catalog 4019473 N/A
.NET Framework 4.6.1 4019473
.NET Framework 3.5 4019473
Windows 10 1507 Catalog 4019474 N/A
.NET Framework 4.6 4019474
.NET Framework 3.5 4019474
Windows 8.1 Windows Server 2012 R2 Catalog 4019114 Catalog 4019111
.NET Framework 4.6.2 4014507 4014587
.NET Framework 4.6, 4.6.1 4014510 4014590
.NET Framework 4.5.2 4014512 4014595
.NET Framework 3.5 4014505 4014581
Windows Server 2012 Catalog 4019113 Catalog 4019110
.NET Framework 4.6.2 4014506 4014586
.NET Framework 4.6, 4.6.1 4014509 4014589
.NET Framework 4.5.2 4014513 4014597
.NET Framework 3.5 4014503 4014577
Windows 7 Windows Server 2008 R2 Catalog 4019112 Catalog 4019108
.NET Framework 4.6.2 4014508 4014588
.NET Framework 4.6, 4.6.1 4014511 4014591
.NET Framework 4.5.2 4014514 4014599
.NET Framework 3.5.1 4014504 4014579
Windows Server 2008 Catalog 4019115 Catalog 4019109
.NET Framework 4.6 4014511 4014591
.NET Framework 4.5.2 4014514 4014599
.NET Framework 2.0 4014502 4014575

Known Issue with the May 2017 Update

The May 2017 Update includes incorrect patch metadata that can cause the Microsoft Baseline Security Analyzer (MBSA) or Windows Update to report that the May 2017 Update (or parts of it) is missing.

This issue will be fixed automatically with an update to Windows Update patch metadata. No action will be required on your part. This post will be updated when that happens.

This issue has now been fixed. If the Security and Quality Rollup is installed and you re-run the MBSA tool, you should see that all updates are installed — none are reported missing.

In the case that you have installed the Security-only Update and not the Security and Quality Rollup, the MBSA tool will report that updates are missing. This is by design. For an explanation, see More on Windows 7 and Windows 8.1 servicing changes and in particular the section titled “What’s expected if you deploy both updates?”.

Known Issue with the April 2017 Update

The April 2017 Monthly Update contained a bug that caused the PowerShell Stop-Computer command to stop correctly functioning. This bug has since been fixed. You can get the fix in the following ways:

Using Windows 10

  • Install the May 2017 Update for Windows 10 (see link in the table above).

Using an earlier version of Windows

  • Wait for the next .NET Framework monthly update, which will include this fix. This approach is recommended if you are not experiencing this problem.
  • Install the specific fix for this issue, which you can find in the April 2017 Monthly Update post.

Note that the .NET Framework 4.7 contains the fix. If you are using Windows 10 Creators Update, you will still need to install the May 2017 Update (see link in the table above) to get this fix.

Previous Monthly Rollups

The last few .NET Framework Monthly updates are listed below for your convenience:

Note: Previously released security and quality updates are included in today’s release.

More Information

You can read the .NET Framework Monthly Rollups Explained to learn more about how the .NET Framework is updated.

Updated (2015/05/31): Reported that known issue with patch metadata is fixed.

Updated (2015/05/25): Added known issue with patch metadata.

Updated (2015/05/16): Added Windows 10 entries to KB table.

Category
.NET

Author

Rich Lander [MSFT]
Program Manager

Richard Lander is a Principal Program Manager on the .NET Core team. He works on making .NET Core work great in memory-limited Docker containers, on ARM hardware like the Raspberry Pi, and enabling GPIO programming and IoT scenarios. He is part of the design team that defines new .NET runtime capabilities and features. He enjoys British rock and Doctor Who. He grew up in Canada and New Zealand.

0 comments

Discussion are closed.