Today, we are releasing the .NET for UWP January 2018 Update.
This post includes the fix included and instructions on how to update your applications.
CVE-2018-0786 – Security Feature Bypass in X509 Certificate Validation
Microsoft is aware of a security vulnerability in the public versions of .NET Core where an attacker could present a certificate that is marked invalid for a specific use, but a component uses it for that purpose. This action disregards the Enhanced Key Usage tagging.
The security update addresses the vulnerability by ensuring that .NET Core components completely validate certificates.
Getting the Update
.NET for UWP fixes are released differently than .NET Framework. While .NET Framework fixes are released via Windows Update, .NET for UWP requires that applications be re-processed by the .NET native compiler to incorporate the fixes and the re-processed version needs to be distributed via the Windows Store.
We recommend that you update your .NET UWP apps to use the latest minor version of the Microsoft.NETCore.UniversalWindowsPlatform NuGet package so that you can build and verify that your app works as expected when updated. If you are using version 6.0.x, you should update to 6.0.6 and if you’re using 5.2.x, you can update to 5.2.4. Of course, you can update to a higher major version too, but we are distributing security updates for all impacted major versions (currently 5.2.x, 5.3.x, 5.4.x and 6.0.x). Additionally, whether or not you update your NuGet packages, all applications submitted to the store after today will be automatically fixed during submission processing.
If you do not update your app in the Store, it will automatically be reprocessed and distributed via an application update in the next few weeks. Users who have automatic app updates enabled will get the fix with no intervention on your or their parts. Because updated apps are distributed through the Windows Store, sideloaded apps will not be automatically updated. We recommend that developers who distribute sideloaded apps update the affected NuGet packages, rebuild their applications and distribute them to their users.
Microsoft is committed to keeping UWP applications secure and to supporting developers. If you have feedback on the fix distribution process, please let us know at firstname.lastname@example.org.
Updated NuGet packages
|Nuget Packages impacted:||Nuget Packages to update to:|
|Microsoft.NETCore.UniversalWindowsPlatform 5.2.* (contains .NET native 1.4.*)||Microsoft.NETCore.UniversalWindowsPlatform 5.2.4|
|Microsoft.NETCore.UniversalWindowsPlatform 5.3.* (contains .NET native 1.6.*)||Microsoft.NETCore.UniversalWindowsPlatform 5.3.5|
|Microsoft.NETCore.UniversalWindowsPlatform 5.4.* (contains .NET native 1.7.*)||Microsoft.NETCore.UniversalWindowsPlatform 5.4.2|
|Microsoft.NETCore.UniversalWindowsPlatform 6.0.* (contains .NET native 2.0.*)||Microsoft.NETCore.UniversalWindowsPlatform 6.0.6|