{"id":10365,"date":"2017-05-09T15:51:24","date_gmt":"2017-05-09T22:51:24","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/dotnet\/?p=10365"},"modified":"2021-09-30T10:10:55","modified_gmt":"2021-09-30T17:10:55","slug":"net-framework-may-2017-monthly-rollup","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/dotnet\/net-framework-may-2017-monthly-rollup\/","title":{"rendered":".NET Framework May 2017 Security and Quality Rollup"},"content":{"rendered":"

Last Updated (2015\/05\/31)<\/strong><\/p>\n

<\/strong><\/p>\n

Today, we are releasing a new Security and Quality Rollup and Security Only Update for the .NET Framework.<\/p>\n

Please see .NET Core May 2017 Updates<\/a> for the .NET Core updates being released today.<\/p>\n

<\/a>Security<\/h2>\n

Microsoft Common Vulnerabilities and Exposures CVE-2017-0248<\/strong><\/p>\n

A security feature bypass vulnerability exists when Microsoft .NET Framework (and .NET Core) components do not completely validate certificates.<\/p>\n

An attacker could present a certificate that is marked invalid for a specific use, but the component uses it for that purpose. This action disregards the Enhanced Key Usage extensions.<\/p>\n

The security update addresses the vulnerability by helping to ensure that .NET Framework (and .NET Core) components completely validate certificates.<\/p>\n

To learn more about this vulnerability, see Microsoft Common Vulnerabilities and Exposures CVE-2017-0248<\/a>.<\/p>\n

This update also contains security-enhancing fixes to the Windows Presentation Framework PackageDigitalSignatureManager component’s ability to sign packages with the SHA256 hash algorithm.<\/p>\n

<\/a>Quality and Reliability<\/h2>\n

There are no quality and reliability changes this month.<\/p>\n

<\/a>Getting the Update<\/h2>\n

The Security and Quality Rollup is available via Windows Update, Windows Server Update Services and Microsoft Update Catalog. The Security Only Update is available via Windows Server Update Services and Microsoft Update Catalog. The Windows 10 updates<\/a> are integrated with the Windows 10 Monthly Update.<\/p>\n

Docker Images<\/h3>\n

The Windows ServerCore<\/a> and .NET Framework<\/a> Docker images have also been updated. Pulling the latest image will update your local Docker image cache.<\/p>\n

Downloading KBs from Microsoft Update Catalog<\/h3>\n

You can learn more about the releases from the table below.\u00a0See\u00a0<\/span>.NET Framework Monthly Rollups Explained<\/a>\u00a0for an explanation on how to use this table to download patches from Microsoft Update Catalog.<\/span><\/p>\n\n\n\n\n\n<\/tr>\n\n\n\n<\/tr>\n\n\n\n<\/tr>\n\n\n\n<\/tr>\n\n\n\n<\/tr>\n\n\n\n\n\n<\/tr>\n\n\n\n\n\n<\/tr>\n\n\n\n\n\n<\/tr>\n\n\n\n
Product Version<\/th>\nSecurity and Quality Rollup KB<\/th>\nSecurity Rollup KB<\/th>\n<\/tr>\n<\/thead>\n
Windows 10 Creators Update<\/strong><\/td>\nCatalog<\/a>\n4016871<\/a><\/strong><\/td>\nN\/A<\/td>\n<\/tr>\n
.NET Framework 4.7<\/td>\n4016871<\/a><\/td>\n<\/td>\n<\/tr>\n
.NET Framework 3.5<\/td>\n4016871<\/a><\/td>\n<\/td>\n<\/tr>\n
Windows 10 Anniversary Update\nWindows Server 2016<\/strong><\/td>\nCatalog<\/a>\n4019472<\/a><\/strong><\/td>\nN\/A<\/td>\n<\/tr>\n
.NET Framework 4.6.2<\/td>\n4019472<\/a><\/td>\n<\/td>\n<\/tr>\n
.NET Framework 3.5<\/td>\n4019472<\/a><\/td>\n<\/td>\n<\/tr>\n
Windows 10 1511<\/strong><\/td>\nCatalog<\/a>\n4019473<\/a><\/strong><\/td>\nN\/A<\/td>\n<\/tr>\n
.NET Framework 4.6.1<\/td>\n4019473<\/a><\/td>\n<\/td>\n<\/tr>\n
.NET Framework 3.5<\/td>\n4019473<\/a><\/td>\n<\/td>\n<\/tr>\n
Windows 10 1507<\/strong><\/td>\nCatalog<\/a>\n4019474<\/a><\/strong><\/td>\nN\/A<\/td>\n<\/tr>\n
.NET Framework 4.6<\/td>\n4019474<\/a><\/td>\n<\/td>\n<\/tr>\n
.NET Framework 3.5<\/td>\n4019474<\/a><\/td>\n<\/td>\n<\/tr>\n
Windows 8.1\nWindows Server 2012 R2<\/strong><\/td>\nCatalog<\/a>\n4019114<\/a><\/strong><\/td>\nCatalog<\/a>\n4019111<\/a><\/strong><\/td>\n<\/tr>\n
.NET Framework 4.6.2<\/td>\n4014507<\/a><\/td>\n4014587<\/a><\/td>\n<\/tr>\n
.NET Framework 4.6, 4.6.1<\/td>\n4014510<\/a><\/td>\n4014590<\/a><\/td>\n<\/tr>\n
.NET Framework 4.5.2<\/td>\n4014512<\/a><\/td>\n4014595<\/a><\/td>\n<\/tr>\n
.NET Framework 3.5<\/td>\n4014505<\/a><\/td>\n4014581<\/a><\/td>\n<\/tr>\n
Windows Server 2012<\/strong><\/td>\nCatalog<\/a>\n4019113<\/a><\/strong><\/td>\nCatalog<\/a>\n4019110<\/a><\/strong><\/td>\n<\/tr>\n
.NET Framework 4.6.2<\/td>\n4014506<\/a><\/td>\n4014586<\/a><\/td>\n<\/tr>\n
.NET Framework 4.6, 4.6.1<\/td>\n4014509<\/a><\/td>\n4014589<\/a><\/td>\n<\/tr>\n
.NET Framework 4.5.2<\/td>\n4014513<\/a><\/td>\n4014597<\/a><\/td>\n<\/tr>\n
.NET Framework 3.5<\/td>\n4014503<\/a><\/td>\n4014577<\/a><\/td>\n<\/tr>\n
Windows 7\nWindows Server 2008 R2<\/strong><\/td>\nCatalog<\/a>\n4019112<\/a><\/strong><\/td>\nCatalog<\/a>\n4019108<\/a><\/strong><\/td>\n<\/tr>\n
.NET Framework 4.6.2<\/td>\n4014508<\/a><\/td>\n4014588<\/a><\/td>\n<\/tr>\n
.NET Framework 4.6, 4.6.1<\/td>\n4014511<\/a><\/td>\n4014591<\/a><\/td>\n<\/tr>\n
.NET Framework 4.5.2<\/td>\n4014514<\/a><\/td>\n4014599<\/a><\/td>\n<\/tr>\n
.NET Framework 3.5.1<\/td>\n4014504<\/a><\/td>\n4014579<\/a><\/td>\n<\/tr>\n
Windows Server 2008<\/strong><\/td>\nCatalog<\/a>\n4019115<\/a><\/strong><\/td>\nCatalog<\/a>\n4019109<\/a><\/strong><\/td>\n<\/tr>\n
.NET Framework 4.6<\/td>\n4014511<\/a><\/td>\n4014591<\/a><\/td>\n<\/tr>\n
.NET Framework 4.5.2<\/td>\n4014514<\/a><\/td>\n4014599<\/a><\/td>\n<\/tr>\n
.NET Framework 2.0<\/td>\n4014502<\/a><\/td>\n4014575<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

<\/a>Known Issue with the May 2017 Update<\/h3>\n

The May 2017 Update includes incorrect patch metadata that can cause the Microsoft Baseline Security Analyzer (MBSA)<\/a>\u00a0or Windows Update to report that the May 2017 Update (or parts of it) is missing.<\/p>\n

This issue will be fixed automatically with an update to Windows Update patch metadata. No\u00a0action will be required on your part. This post will be updated when that happens.<\/del><\/p>\n

This issue has now been fixed. If the\u00a0Security and Quality Rollup is installed and you re-run the MBSA tool, you should see that all updates are installed — none are reported missing.<\/p>\n

In the case that you have installed the Security-only Update and not the Security and Quality Rollup,\u00a0the MBSA tool will report that updates are missing. This is by design. For an explanation, see\u00a0More on Windows 7 and Windows 8.1 servicing changes<\/a> and in particular the section titled “What\u2019s expected if you deploy both updates?”.<\/p>\n

<\/a>Known Issue with the April 2017 Update<\/h3>\n

The April 2017 Monthly Update<\/a> contained a bug that caused the PowerShell Stop-Computer command to stop correctly functioning<\/a>. This bug has since been fixed. You can get the fix in the following ways:<\/p>\n

Using Windows 10<\/strong><\/p>\n