The .NET team released a security bulletin and a security advisory today as part of the monthly “patch Tuesday” cycle.
This update resolves a privately reported vulnerability in the Microsoft .NET Framework that could allow elevation of privilege if an unauthenticated attacker sends specially crafted data to an affected workstation or server that has the .NET Framework Remoting feature enabled.
This security update is rated Important for Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4, Microsoft .NET Framework 4.5, and Microsoft .NET Framework 4.5.1 on affected editions of Microsoft Windows.
More details about the versions affected by this vulnerability can be found in the security bulletin MS14-026.
Microsoft is announcing the availability of an update for Microsoft .NET Framework that disables RC4 in Transport Layer Security (TLS) through the modification of the system registry. Use of RC4 in TLS could allow an attacker to perform man-in-the-middle attacks and recover plaintext from encrypted sessions.
Microsoft recommends that customers download and test the updates before deploying them in their environments as soon as possible. Please see the Suggested Actions section of this advisory for more information.
This security update is rated Important for Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4, Microsoft .NET Framework 4.5, Microsoft .NET Framework 4.5.1 and Microsoft .NET Framework 4.5.2 on affected editions of Microsoft Windows.
Due to new behavior that restricts the unsecured RC4 cipher, the updates addressed in this advisory are being provided via the Microsoft Download Center and Microsoft Update Catalog only. The updates are not being provided via Windows Update in order to give customers the ability to plan and test the new settings for disabling RC4 prior to implementation in their environments.
More details about the versions affected by this vulnerability can be found in the Microsoft Security Advisory 2960358.
How to obtain help and support for this security update
- Help installing updates: Support for Microsoft Update
- Security solutions for IT professionals: TechNet Security Troubleshooting and Support
- Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center
- Local support according to your country: International Support