May 8th, 2018

.NET Framework May 2018 Security and Quality Rollup

Rich Lander [MSFT]
Program Manager

Today, we are releasing the May 2018 Security and Quality Rollup.

Security

CVE-2018-1039 – Windows Security Feature Bypass Vulnerability

A security feature bypass vulnerability exists in Windows which could allow an attacker to bypass Device Guard. An attacker who successfully exploited this vulnerability could circumvent a User Mode Code Integrity (UMCI) policy on the machine. To exploit the vulnerability, an attacker would first have to access the local machine, and then run a malicious program. The update addresses the vulnerability by correcting how Windows validates User Mode Code Integrity policies

CVE-2018-1039

CVE-2018-0765 – .NET and .NET Core Denial Of Service Vulnerability

A Denial of Service vulnerability exists when .NET, and .NET core, improperly process XML documents. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to a .NET(or .NET core) application.

The update addresses the vulnerability by correcting how a .NET, and .NET core, applications handles XML document processing.

CVE-2018-0765

Quality and Reliability

This release contains the following quality and reliability improvements.

CLR

  • Floating-point overflow in the thread pool’s hill climbing algorithm. [569602]
  • High CPU usage in a kernel lock ntoskrnl!ExpWaitForSpinLockExclusiveAndAcquire called by ntoskrnl!KiPageFault is resolved by CLR implemented write watch instead [568318]

Note: Additional information on these improvements is not available. The VSTS bug number provided with each improvement is a unique ID that you can give Microsoft Customer Support, include in StackOverflow comments or use in web searches.

Getting the Update

The Security and Quality Rollup is available via Windows Update, Windows Server Update Services, Microsoft Update Catalog, and Docker.

Microsoft Update Catalog

You can get the update via the Microsoft Update Catalog. For Windows 10, .NET Framework updates are part of the Windows 10 Monthly Rollup.

The following table is for Windows 10 and Windows Server 2016+.

Product Version Security and Quality Rollup KB
Windows 10 1803 (April 2018 Update) Catalog 4103721
.NET Framework 3.5 4103721
.NET Framework 4.7.2 4103721
Windows 10 1709 (Fall Creators Update) Catalog 4103727
.NET Framework 3.5 4103727
.NET Framework 4.7.1 4103727
Windows 10 1703 (Creators Update) Catalog 4103731
.NET Framework 3.5 4103731
.NET Framework 4.7, 4.7.1 4103731
Windows 10 1607 (Anniversary Update) Windows Server 2016 Catalog 4103723
.NET Framework 3.5 4103723
.NET Framework 4.6.2, 4.7, 4.7.1 4103723
Windows 10 1507 Catalog 4103716
.NET Framework 3.5 4103716
.NET Framework 4.6, 4.6.1, 4.6.2 4103716

The following table is for earlier Windows and Windows versions.

Product Version Security and Quality Rollup KB Security Rollup KB
Windows 8.1 Windows RT 8.1 Windows Server 2012 R2 Catalog 4099635 Catalog 4099639
.NET Framework 3.5 4095875 4095515
.NET Framework 4.5.2 4095876 4095517
.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 4096417 4096236
Windows Server 2012 Catalog 4099634 Catalog 4099638
.NET Framework 3.5 4095872 4095512
.NET Framework 4.5.2 4096494 4095518
.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 4096416 4096235
Windows 7 Windows Server 2008 R2 Catalog 4099633 Catalog 4099637
.NET Framework 3.5.1 4095874 4095514
.NET Framework 4.5.2 4096495 4095519
.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 4096418 4096237
Windows Server 2008 Catalog 4099636 Catalog 4099640
.NET Framework 2.0, 3.0 4095873 4095513
.NET Framework 4.5.2 4096495 4095519
.NET Framework 4.6 4096418 4096237

Docker Images

We are updating the following .NET Framework Docker images for today’s release:

Note: Look at the “Tags” view in each repository to see the updated Docker image tags.

Previous Monthly Rollups

The last few .NET Framework Monthly updates are listed below for your convenience:

Category
.NET

Author

Rich Lander [MSFT]
Program Manager

Richard Lander is a Principal Program Manager on the .NET Core team. He works on making .NET Core work great in memory-limited Docker containers, on ARM hardware like the Raspberry Pi, and enabling GPIO programming and IoT scenarios. He is part of the design team that defines new .NET runtime capabilities and features. He enjoys British rock and Doctor Who. He grew up in Canada and New Zealand.

0 comments

Discussion are closed.