Microsoft Asp.Net MVC Security Update MS14-059 broke my build!

miguel

Microsoft just released a new security update to be automatically applied to machines configured to use Microsoft Update.  The security bulletin is available here: https://technet.microsoft.com/en-us/library/security/ms14-059

Unfortunately, some ASP.NET MVC 3 and 4 VS projects can no longer build after the update is applied. These projects will fail with the following error:

 Could not locate the assembly “System.Web.Mvc,Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35,processorArchitecture=MSIL”.

This happens when your project references assemblies from the GAC or the Reference Assemblies folder. Project references to System.Web.Mvc.dll are no longer resolved because the assembly version of System.Web.Mvc.dll was incremented. 

The problem can be resolved by implemented one of the following solutions:

  1. (Preferred) Install Microsoft.AspNet.Mvc from the NuGet gallery (this will install a binding redirect in your web.config).  You can do this from the NuGet package manager or the NuGet console inside Visual Studio:

    >Install-Package Microsoft.AspNet.Mvc -Version <version> -Project PROJECTNAME

    MVC 4 version: 4.0.40804.0

    MVC 3 version: 3.0.50813.1

  2. Manually update the reference to System.Web.MVC.dll (don’t use the one in the GAC).

    Try the Add Reference -> Assemblies -> Extensions dialog box. 

In either case ensure that the Copy Local project property for the assembly is set to true so it ends up in your bin folder which is needed for deployment. There is a known NuGet bug that resets the Copy Local flag: https://nuget.codeplex.com/workitem/4344

For MVC projects built prior to VS 2012 references to MVC assemblies were added from either the GAC or the Assembly References folder.  Most recent MVC templates add references to assemblies installed via NuGet packages, this is why option No.1 above is preferred.  The NuGet gallery has become very popular.

As a side note, a similar issue may occur when creating a new MVC 3 project in Visual Studio 2010, this is documented in the security bulletin:

MVC 3.0 RTM is installed on my system and after installing the update I can no longer create a new project in Visual Studio 2010, how can I correct this? 
ASP.NET MVC 3.0 templates for Visual Studio 2010 rely on assemblies that are installed in the Reference Assemblies folder. Since the updated version of the assembly for MVC 3.0 is incremented, templates will no longer work. To solve this problem, install the MVC 3.0.1 tooling refresh for Visual Studio 2010. 

Finally, the decision to increment the assembly version was to secure those applications that were deployed on servers owned by third parties, in this case the vulnerable assembly may be in the GAC. In order to ensure the application runs the secure assembly, the assembly version had to be incremented.

Some ASP.NET MVC 5 projects may also be affected by a somewhat related issue.  When you run your application within Visual Studio it might fail with an error that looks like the following:

  Compiler Error Message: CS0234: The type or namespace name ‘Ajax’ does not exist in the namespace ‘System.Web.Mvc’ (are you missing an assembly reference?)

This is because the assembly Copy Local flag has been reset most likely due to the NuGet bug mentioned previously.

A variation of this problem, affecting all versions of MVC, is that your assembly is no longer deployed with your application from within Visual Studio.  Visual Studio sets the Copy Local flag to false by default when the assembly is installed in the GAC, for reference see these MSDN articles:

http://msdn.microsoft.com/en-us/library/vstudio/vslangproj.reference.copylocal.aspx and http://msdn.microsoft.com/en-us/library/ez524kew%28VS.80%29.aspx.

Manually setting the Copy Local flag to true fixes these issues.

Another problem affecting MVC 4 applications can generate an error that looks like the following:

  Could not load file or assembly ‘Newtonsoft.Json, Version=4.5.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed’ or one of its dependencies.

This is not a build-specific issue and happens because the MVC assemblies are now installed in the GAC, the Newtonsoft.Json.dll assembly can no longer be resolved; copying the assembly to the application’s probing path (bin or equivalent folder) resolves this problem.  You can get Newtonsoft.Json 4.5.6 from the NuGet gallery.

 If your application does not have any custom logic for loading assemblies it is likely it is running a pre-release version of MVC which did not have a dependency on Newtonsoft.Json; in this case you are strongly advised to upgrade your application to a supported release of MVC.

 

0 comments

Discussion is closed.

Feedback usabilla icon