.NET Framework May 2018 Security and Quality Rollup

Avatar

Richard

Today, we are releasing the May 2018 Security and Quality Rollup.

Security

CVE-2018-1039 – Windows Security Feature Bypass Vulnerability

A security feature bypass vulnerability exists in Windows which could allow an attacker to bypass Device Guard. An attacker who successfully exploited this vulnerability could circumvent a User Mode Code Integrity (UMCI) policy on the machine. To exploit the vulnerability, an attacker would first have to access the local machine, and then run a malicious program. The update addresses the vulnerability by correcting how Windows validates User Mode Code Integrity policies

CVE-2018-1039

CVE-2018-0765 – .NET and .NET Core Denial Of Service Vulnerability

A Denial of Service vulnerability exists when .NET, and .NET core, improperly process XML documents. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to a .NET(or .NET core) application.

The update addresses the vulnerability by correcting how a .NET, and .NET core, applications handles XML document processing.

CVE-2018-0765

Quality and Reliability

This release contains the following quality and reliability improvements.

CLR

  • Floating-point overflow in the thread pool’s hill climbing algorithm. [569602]
  • High CPU usage in a kernel lock ntoskrnl!ExpWaitForSpinLockExclusiveAndAcquire called by ntoskrnl!KiPageFault is resolved by CLR implemented write watch instead [568318]

Note: Additional information on these improvements is not available. The VSTS bug number provided with each improvement is a unique ID that you can give Microsoft Customer Support, include in StackOverflow comments or use in web searches.

Getting the Update

The Security and Quality Rollup is available via Windows Update, Windows Server Update Services, Microsoft Update Catalog, and Docker.

Microsoft Update Catalog

You can get the update via the Microsoft Update Catalog. For Windows 10, .NET Framework updates are part of the Windows 10 Monthly Rollup.

The following table is for Windows 10 and Windows Server 2016+.

Product VersionSecurity and Quality Rollup KB
Windows 10 1803 (April 2018 Update)Catalog
4103721
.NET Framework 3.54103721
.NET Framework 4.7.24103721
Windows 10 1709 (Fall Creators Update)Catalog
4103727
.NET Framework 3.54103727
.NET Framework 4.7.14103727
Windows 10 1703 (Creators Update)Catalog
4103731
.NET Framework 3.54103731
.NET Framework 4.7, 4.7.14103731
Windows 10 1607 (Anniversary Update)
Windows Server 2016
Catalog
4103723
.NET Framework 3.54103723
.NET Framework 4.6.2, 4.7, 4.7.14103723
Windows 10 1507Catalog
4103716
.NET Framework 3.54103716
.NET Framework 4.6, 4.6.1, 4.6.24103716

The following table is for earlier Windows and Windows versions.

Product VersionSecurity and Quality Rollup KBSecurity Rollup KB
Windows 8.1
Windows RT 8.1
Windows Server 2012 R2
Catalog
4099635
Catalog
4099639
.NET Framework 3.540958754095515
.NET Framework 4.5.240958764095517
.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.140964174096236
Windows Server 2012Catalog
4099634
Catalog
4099638
.NET Framework 3.540958724095512
.NET Framework 4.5.240964944095518
.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.140964164096235
Windows 7
Windows Server 2008 R2
Catalog
4099633
Catalog
4099637
.NET Framework 3.5.140958744095514
.NET Framework 4.5.240964954095519
.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.140964184096237
Windows Server 2008Catalog
4099636
Catalog
4099640
.NET Framework 2.0, 3.040958734095513
.NET Framework 4.5.240964954095519
.NET Framework 4.640964184096237

Docker Images

We are updating the following .NET Framework Docker images for today’s release:

Note: Look at the “Tags” view in each repository to see the updated Docker image tags.

Previous Monthly Rollups

The last few .NET Framework Monthly updates are listed below for your convenience:

Avatar
Richard Lander

Program Manager, .NET Team

Follow Richard   

No Comments.