.NET Framework February 2019 Security and Quality Rollup

This post has been republished via RSS; it originally appeared at: MSDN Blogs.

Yesterday, we released the February 2019 Security and Quality Rollup.

Security

CVE-2019-0613 – Remote Code Execution Vulnerability

This security update resolves a vulnerability in .NET Framework software if the software does not check the source markup of a file. An attacker who successfully exploits the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on by using administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts that have full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who have administrative user rights.

CVE-2019-0657 – Domain Spoofing Vulnerability

This security update resolves a vulnerability in certain .NET Framework APIs that parse URLs. An attacker who successfully exploits this vulnerability could use it to bypass security logic that's intended to make sure that a user-provided URL belonged to a specific host name or a subdomain of that host name. This could be used to cause privileged communication to be made to an untrusted service as if it were a trusted service.

CVE-2019-0657

Getting the Update

The Security and Quality Rollup is available via Windows Update, Windows Server Update Services, Microsoft Update Catalog, and Docker.

Microsoft Update Catalog

You can get the update via the Microsoft Update Catalog. For Windows 10, .NET Framework updates are part of the Windows 10 Monthly Rollup.

The following table is for Windows 10 and Windows Server 2016+ versions.

Product Version	Security and Quality Rollup KB
Windows 10 1809 (October 2018 Update) Windows Server 2019	Catalog 4483452
.NET Framework 3.5, 4.7.2	4483452
Windows 10 1803 (April 2018 Update)	Catalog 4487017
.NET Framework 3.5, 4.7.2	4487017
Windows 10 1709 (Fall Creators Update)	Catalog 4486996
.NET Framework 3.5, 4.7.1, 4.7.2	4486996
Windows 10 1703 (Creators Update)	Catalog 4487020
.NET Framework 3.5, 4.7, 4.7.1, 4.7.2	4487020
Windows 10 1607 (Anniversary Update) Windows Server 2016	Catalog 4487026
.NET Framework 3.5, 4.6.2, 4.7, 4.7.1, 4.7.2	4487026
Windows 10 1507	Catalog 4487018
.NET Framework 3.5, 4.6, 4.6.1, 4.6.2	4487018

The following table is for earlier Windows and Windows Server versions.

Product Version	Security and Quality Rollup KB	Security Only Update KB
Windows 8.1 Windows RT 8.1 Windows Server 2012 R2	Catalog 4487080	Catalog 4487124
.NET Framework 3.5	Catalog 4483459	Catalog 4483484
.NET Framework 4.5.2	Catalog 4483453	Catalog 4483472
.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2	Catalog 4483450	Catalog 4483469
Windows Server 2012	Catalog 4487079	Catalog 4487122
.NET Framework 3.5	Catalog 4483456	Catalog 4483481
.NET Framework 4.5.2	Catalog 4483454	Catalog 4483473
.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2	Catalog 4483449	Catalog 4483468
Windows 7 SP1 Windows Server 2008 R2 SP1	Catalog 4487078	Catalog 4487121
.NET Framework 3.5.1	Catalog 4483458	Catalog 4483483
.NET Framework 4.5.2	Catalog 4483455	Catalog 4483474
.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2	Catalog 4483451	Catalog 4483470
Windows Server 2008	Catalog 4487081	Catalog 4487124
.NET Framework 2.0, 3.0	Catalog 4483457	Catalog 4483482
.NET Framework 4.5.2	Catalog 4483455	Catalog 4483474
.NET Framework 4.6	Catalog 4483451	Catalog 4483470

Docker Images

We are updating the following .NET Framework Docker images for today's release:

Note: Look at the "Tags" view in each repository to see the updated Docker image tags.

Note: Significant changes have been made with Docker images recently. Please look at .NET Docker Announcements for more information.

Previous Monthly Rollups

The last few .NET Framework Monthly updates are listed below for your convenience: