.NET Framework May 2018 Security and Quality Rollup
Today, we are releasing the May 2018 Security and Quality Rollup.
CVE-2018-1039 – Windows Security Feature Bypass Vulnerability
A security feature bypass vulnerability exists in Windows which could allow an attacker to bypass Device Guard. An attacker who successfully exploited this vulnerability could circumvent a User Mode Code Integrity (UMCI) policy on the machine. To exploit the vulnerability, an attacker would first have to access the local machine, and then run a malicious program. The update addresses the vulnerability by correcting how Windows validates User Mode Code Integrity policies
CVE-2018-0765 – .NET and .NET Core Denial Of Service Vulnerability
A Denial of Service vulnerability exists when .NET, and .NET core, improperly process XML documents. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to a .NET(or .NET core) application.
The update addresses the vulnerability by correcting how a .NET, and .NET core, applications handles XML document processing.
Quality and Reliability
This release contains the following quality and reliability improvements.
- Floating-point overflow in the thread pool’s hill climbing algorithm. 
- High CPU usage in a kernel lock ntoskrnl!ExpWaitForSpinLockExclusiveAndAcquire called by ntoskrnl!KiPageFault is resolved by CLR implemented write watch instead 
Note: Additional information on these improvements is not available. The VSTS bug number provided with each improvement is a unique ID that you can give Microsoft Customer Support, include in StackOverflow comments or use in web searches.
Getting the Update
The Security and Quality Rollup is available via Windows Update, Windows Server Update Services, Microsoft Update Catalog, and Docker.
Microsoft Update Catalog
You can get the update via the Microsoft Update Catalog. For Windows 10, .NET Framework updates are part of the Windows 10 Monthly Rollup.
The following table is for Windows 10 and Windows Server 2016+.
|Product Version||Security and Quality Rollup KB|
|Windows 10 1803 (April 2018 Update)||Catalog 4103721|
|.NET Framework 3.5||4103721|
|.NET Framework 4.7.2||4103721|
|Windows 10 1709 (Fall Creators Update)||Catalog 4103727|
|.NET Framework 3.5||4103727|
|.NET Framework 4.7.1||4103727|
|Windows 10 1703 (Creators Update)||Catalog 4103731|
|.NET Framework 3.5||4103731|
|.NET Framework 4.7, 4.7.1||4103731|
|Windows 10 1607 (Anniversary Update) Windows Server 2016||Catalog 4103723|
|.NET Framework 3.5||4103723|
|.NET Framework 4.6.2, 4.7, 4.7.1||4103723|
|Windows 10 1507||Catalog 4103716|
|.NET Framework 3.5||4103716|
|.NET Framework 4.6, 4.6.1, 4.6.2||4103716|
The following table is for earlier Windows and Windows versions.
|Product Version||Security and Quality Rollup KB||Security Rollup KB|
|Windows 8.1 Windows RT 8.1 Windows Server 2012 R2||Catalog 4099635||Catalog 4099639|
|.NET Framework 3.5||4095875||4095515|
|.NET Framework 4.5.2||4095876||4095517|
|.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1||4096417||4096236|
|Windows Server 2012||Catalog 4099634||Catalog 4099638|
|.NET Framework 3.5||4095872||4095512|
|.NET Framework 4.5.2||4096494||4095518|
|.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1||4096416||4096235|
|Windows 7 Windows Server 2008 R2||Catalog 4099633||Catalog 4099637|
|.NET Framework 3.5.1||4095874||4095514|
|.NET Framework 4.5.2||4096495||4095519|
|.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1||4096418||4096237|
|Windows Server 2008||Catalog 4099636||Catalog 4099640|
|.NET Framework 2.0, 3.0||4095873||4095513|
|.NET Framework 4.5.2||4096495||4095519|
|.NET Framework 4.6||4096418||4096237|
We are updating the following .NET Framework Docker images for today’s release:
Note: Look at the “Tags” view in each repository to see the updated Docker image tags.
Previous Monthly Rollups
The last few .NET Framework Monthly updates are listed below for your convenience:
- February 2018 Security and Quality Rollup
- January 2018 Preview of Quality Rollup
- January 2018 Security and Quality Rollup
- November 2017 Security and Quality Rollup