The .NET team released a security bulletin today as part of the monthly “patch Tuesday” cycle.
Microsoft Security Bulletin MS14-057 - Critical, Vulnerabilities in the .NET Framework could allow remote code execution (3000414)
This security update resolves three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of these vulnerabilities could allow remote code execution if an attacker sends a specially crafted URI request containing international characters to a .NET web application. The security update further resolves an Elevation of Privilege vulnerability in the ClickOnce deployment service. While this patch fixes this service, there is a call for action for developers using Managed Distributed Component Object Model (a .NET wrapped around DCOM) to take immediate action to ensure their applications are secure. Further details on this topic is covered in this security blog. Finally the security update resolves a security bypass issue by helping to ensure that affected versions of Microsoft .NET Framework properly implement the ASLR security feature.
This security update is rated Critical for Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4, and Microsoft .NET Framework 4.5/4.5.1/4.5.2 on affected releases of Microsoft Windows.
More details about the versions affected by this vulnerability can be found in the security bulletin MS14-057.
How to obtain help and support for this security update
- Help installing updates: Support for Microsoft Update
- Security solutions for IT professionals: TechNet Security Troubleshooting and Support
- Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center
- Local support according to your country: International Support