.NET Framework January 2018 Security and Quality Rollup

Updated: January 22, 2018

Today, we are releasing the January 2018 Security and Quality Rollup.

An issue with the January 2018 Monthly Rollup was found on Windows 7 and Windows Server 2008 R2 if .NET Framework 4.7.1 was already installed. It has been resolved. The download links for these Windows versions have been updated in the table below. See .NET Framework January 2018 Rollup Known Issue KB4074906 – “TypeInitializationException” or “FileFormatException” error in WPF applications for more information for more information.

See .NET Framework 4.7.1 is available on Windows Update, WSUS and MU Catalog! for separately available reliability updates for the .NET Framework 4.7.1.

Security

CVE-2018-0786 – Security Feature Bypass in X509 Certificate Validation

CVE-2018-0786 – A security feature bypass vulnerability exists when Microsoft .NET Framework (and .NET Core) components do not completely validate certificates.

An attacker could present a certificate that is marked invalid for a specific use, but the component uses it for that purpose. This action disregards the Enhanced Key Usage taggings.

The security update addresses the vulnerability by helping to ensure that .NET Framework (and .NET Core) components completely validate certificates.

CVE-2018-0764 – Denial of Service when parsing XML documents

CVE-2018-0764 – A Denial of Service vulnerability exists when .NET Framework, and .NET core, improperly process XML documents. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to a .NET(or .NET core) application.

The update addresses the vulnerability by correcting how a .NET, and .NET core, applications handles XML document processing.

Quality and Reliability

This release contains no new quality and reliability improvements.

Getting the Update

The Security and Quality Rollup is available via Windows Update, Windows Server Update Services, Microsoft Update Catalog, and Docker.

Microsoft Update Catalog

You can get the update via the Microsoft Update Catalog. For Windows 10, .NET Framework updates are part of the Windows 10 Monthly Rollup.

Product Version Security and Quality Rollup KB Security Rollup KB
Windows 10 1709 (Fall Creators Update) Catalog
4056892
N/A
.NET Framework 3.5 4056892 N/A
.NET Framework 4.7.1 4056892 N/A
Windows 10 1703 (Creators Update) Catalog
4056891
N/A
.NET Framework 3.5 4056891 N/A
.NET Framework 4.7, 4.7.1 4056891 N/A
Windows 10 1607 (Anniversary Update) Catalog
4056890
N/A
.NET Framework 3.5 4056890 N/A
.NET Framework 4.6.2, 4.7 4056890 N/A
Windows 10 1511 Catalog
4056888
N/A
.NET Framework 3.5 4056888 N/A
.NET Framework 4.6.1, 4.6.2 4056888 N/A
Windows 10 1507 Catalog
4056893
N/A
.NET Framework 3.5 4056893 N/A
.NET Framework 4.6, 4.6.1, 4.6.2 4056893 N/A
Windows 8.1
Windows RT 8.1
Windows Server 2012 R2
Catalog
4055266
Catalog
4055271
.NET Framework 3.5 4054999 4054177
.NET Framework 4.5.2 4054993 4054170
.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 4055001 4054182
Windows Server 2012 Catalog
4055265
Catalog
4055270
.NET Framework 3.5 4054997 4054175
.NET Framework 4.5.2 4054994 4054171
.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 4055000 4054181
Windows 7
Windows Server 2008 R2
Catalog
4055532
Catalog
4055269
.NET Framework 3.5.1 4054998 4054176
.NET Framework 4.5.2 4054995 4054172
.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 4074880 4054183
Windows Server 2008 Catalog
4055267
Catalog
4055272
.NET Framework 2.0, 3.0 4054996 4054174
.NET Framework 4.5.2 4054995 4054172
.NET Framework 4.6 4055002 4054183

Known Issue

An issue has been found in the .NET Framework January 2018 Security and Quality Rollup (KB 4055002), applicable to .NET Framework 4.7.1 installed on either Windows 7 and Windows Server 2008 R2. The .NET team has fixed the issue and re-released the January 2018 Monthly Rollup as KB 4074880.

Microsoft has released a Fixit tool for KB4074906. It replaces the corrupted font file with the correct version.

  • Close any open running applications, particularly if you know that they use the .NET Framework.
  • Download and execute Fixit tool for KB4074906 from an Administrator command prompt (will prompt for Administrator permissions otherwise).
  • Re-launch your .NET Framework application(s) and note that the issue has been resolved.

Important Notes:

  • The Fixit tool is only meant to be used on affected systems. It will only complete the repair work on systems that match the applicability and symptoms described above.
  • If you are running the tool programmatically and/or want to check for success status via tool return codes, launch the tool as a new process and wait for it to terminate (e.g. “start /wait FixItTool-KB4074906.exe”). Depending on your systems management environment this may happen by default.

You can use the following commands to run the tool and determine the return code.

C:\KB4074906>start /wait FixItTool-KB4074906.exe
C:\KB4074906>echo %errorlevel%

The follow table lists the error codes that the tool outputs:

Case Code
Success 0
Copy Error 2
File in Use 33
Generic Error 1603
NotApplicable 20160

Docker ImagesSee .NET Framework January 2018 Rollup Known Issue KB4074906 – “TypeInitializationException” or “FileFormatException” error in WPF applications for more information.

Docker images have been updated as part of today’s release (actually, a few days ago).

Note: Look at the “Tags” view in each repository to see the updated Docker image tags.

Note: Significant changes have been made with Docker images recently. Please look at .NET Docker Announcements for more information.

Previous Monthly Rollups

The last few .NET Framework Monthly updates are listed below for your convenience:

Other Updates: