Security Bulletin

Microsoft Security Bulletin MS10-070 - Important

Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)

Published: September 28, 2010 | Updated: October 26, 2011

Version: 4.2

General Information

Executive Summary

This security update resolves a publicly disclosed vulnerability in ASP.NET. The vulnerability could allow information disclosure. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Microsoft .NET Framework versions prior to Microsoft .NET Framework 3.5 Service Pack 1 are not affected by the file content disclosure portion of this vulnerability.

This security update is rated Important for all supported editions of ASP.NET except Microsoft .NET Framework 1.0 Service Pack 3. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerability by additionally signing all data that is encrypted by ASP.NET. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

This security update also addresses the vulnerability first described in Microsoft Security Advisory 2416728.

Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity.

See also the section, Detection and Deployment Tools and Guidance, later in this bulletin.

Known Issues. Microsoft Knowledge Base Article 2418042 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues.

Affected and Non-Affected Software

The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.

Affected Software

Operating System Component Maximum Security Impact Aggregate Severity Rating Bulletins Replaced by this Update
Windows XP
Windows XP Service Pack 3 Microsoft .NET Framework 1.1 Service Pack 1 (KB2416447) Information Disclosure Important MS10-041
Windows XP Service Pack 3 Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 (KB2418241) Microsoft .NET Framework 3.5 (KB2416468) Microsoft .NET Framework 3.5 (KB2418240) Microsoft .NET Framework 3.5 Service Pack 1 (KB2416473) Microsoft .NET Framework 4.0[1](KB2416472) Information Disclosure Important None
Windows XP Professional x64 Edition Service Pack 2 Microsoft .NET Framework 1.1 Service Pack 1 (KB2416447) Information Disclosure Important MS10-041
Windows XP Professional x64 Edition Service Pack 2 Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 (KB2418241) Microsoft .NET Framework 3.5 (KB2416468) Microsoft .NET Framework 3.5 (KB2418240) Microsoft .NET Framework 3.5 Service Pack 1 (KB2416473) Microsoft .NET Framework 4.0[1](KB2416472) Information Disclosure Important None
Windows Server 2003
Windows Server 2003 Service Pack 2 Microsoft .NET Framework 1.1 Service Pack 1 (KB2416451) Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 (KB2418241) Microsoft .NET Framework 3.5 (KB2416468) Microsoft .NET Framework 3.5 (KB2418240) Microsoft .NET Framework 3.5 Service Pack 1 (KB2416473) Microsoft .NET Framework 4.0[1](KB2416472) Information Disclosure Important None
Windows Server 2003 x64 Edition Service Pack 2 Microsoft .NET Framework 1.1 Service Pack 1 (KB2416447) Information Disclosure Important MS10-041
Windows Server 2003 x64 Edition Service Pack 2 Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 (KB2418241) Microsoft .NET Framework 3.5 (KB2416468) Microsoft .NET Framework 3.5 (KB2418240) Microsoft .NET Framework 3.5 Service Pack 1 (KB2416473) Microsoft .NET Framework 4.0[1](KB2416472) Information Disclosure Important None
Windows Server 2003 with SP2 for Itanium-based Systems Microsoft .NET Framework 1.1 Service Pack 1 (KB2416447) Information Disclosure Important MS10-041
Windows Server 2003 with SP2 for Itanium-based Systems Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 (KB2418241) Microsoft .NET Framework 3.5 (KB2416468) Microsoft .NET Framework 3.5 (KB2418240) Microsoft .NET Framework 3.5 Service Pack 1 (KB2416473) Microsoft .NET Framework 4.0[1](KB2416472) Information Disclosure Important None
Windows Vista
Windows Vista Service Pack 1 Microsoft .NET Framework 1.1 Service Pack 1 (KB2416447) Microsoft .NET Framework 3.5 (KB2418240) Microsoft .NET Framework 3.5 Service Pack 1 (KB2416473) Microsoft .NET Framework 4.0[1](KB2416472) Information Disclosure Important None
Windows Vista Service Pack 1 Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5 (KB2416469) Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 (KB2416474) Information Disclosure Important MS09-036
Windows Vista Service Pack 2 Microsoft .NET Framework 1.1 Service Pack 1 (KB2416447) Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, and Microsoft .NET Framework 3.5 Service Pack 1 (KB2416470) Microsoft .NET Framework 3.5 (KB2418240) Microsoft .NET Framework 3.5 Service Pack 1 (KB2416473) Microsoft .NET Framework 4.0[1](KB2416472) Information Disclosure Important None
Windows Vista x64 Edition Service Pack 1 Microsoft .NET Framework 1.1 Service Pack 1 (KB2416447) Microsoft .NET Framework 3.5 (KB2418240) Microsoft .NET Framework 3.5 Service Pack 1 (KB2416473) Microsoft .NET Framework 4.0[1](KB2416472) Information Disclosure Important None
Windows Vista x64 Edition Service Pack 1 Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5 (KB2416469) Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 (KB2416474) Information Disclosure Important MS09-036
Windows Vista x64 Edition Service Pack 2 Microsoft .NET Framework 1.1 Service Pack 1 (KB2416447) Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, and Microsoft .NET Framework 3.5 Service Pack 1 (KB2416470) Microsoft .NET Framework 3.5 (KB2418240) Microsoft .NET Framework 3.5 Service Pack 1 (KB2416473) Microsoft .NET Framework 4.0[1](KB2416472) Information Disclosure Important None
Windows Server 2008
Windows Server 2008 for 32-bit Systems Microsoft .NET Framework 1.1 Service Pack 1** (KB2416447) Microsoft .NET Framework 3.5** (KB2418240) Microsoft .NET Framework 3.5 Service Pack 1** (KB2416473) Microsoft .NET Framework 4.0**[1](KB2416472) Information Disclosure Important None
Windows Server 2008 for 32-bit Systems Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5** (KB2416469) Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1** (KB2416474) Information Disclosure Important MS09-036
Windows Server 2008 for 32-bit Systems Service Pack 2 Microsoft .NET Framework 1.1 Service Pack 1** (KB2416447) Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, and Microsoft .NET Framework 3.5 Service Pack 1** (KB2416470) Microsoft .NET Framework 3.5** (KB2418240) Microsoft .NET Framework 3.5 Service Pack 1** (KB2416473) Microsoft .NET Framework 4.0**[1](KB2416472) Information Disclosure Important None
Windows Server 2008 for x64-based Systems Microsoft .NET Framework 1.1 Service Pack 1** (KB2416447) Microsoft .NET Framework 3.5** (KB2418240) Microsoft .NET Framework 3.5 Service Pack 1** (KB2416473) Microsoft .NET Framework 4.0**[1](KB2416472) Information Disclosure Important None
Windows Server 2008 for x64-based Systems Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5** (KB2416469) Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1** (KB2416474) Information Disclosure Important MS09-036
Windows Server 2008 for x64-based Systems Service Pack 2 Microsoft .NET Framework 1.1 Service Pack 1** (KB2416447) Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, and Microsoft .NET Framework 3.5 Service Pack 1** (KB2416470) Microsoft .NET Framework 3.5** (KB2418240) Microsoft .NET Framework 3.5 Service Pack 1** (KB2416473) Microsoft .NET Framework 4.0**[1](KB2416472) Information Disclosure Important None
Windows Server 2008 for Itanium-based Systems Microsoft .NET Framework 1.1 Service Pack 1 (KB2416447) Microsoft .NET Framework 3.5 (KB2418240) Microsoft .NET Framework 3.5 Service Pack 1 (KB2416473) Microsoft .NET Framework 4.0[1](KB2416472) Information Disclosure Important None
Windows Server 2008 for Itanium-based Systems Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5 (KB2416469) Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 (KB2416474) Information Disclosure Important MS09-036
Windows Server 2008 for Itanium-based Systems Service Pack 2 Microsoft .NET Framework 1.1 Service Pack 1 (KB2416447) Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, and Microsoft .NET Framework 3.5 Service Pack 1 (KB2416470) Microsoft .NET Framework 3.5 (KB2418240) Microsoft .NET Framework 3.5 Service Pack 1 (KB2416473) Microsoft .NET Framework 4.0[1](KB2416472) Information Disclosure Important None
Windows 7
Windows 7 for 32-bit Systems Microsoft .NET Framework 3.5.1 (KB2416471) Microsoft .NET Framework 4.0[1](KB2416472) Information Disclosure Important None
Windows 7 for 32-bit Systems Service Pack 1 Microsoft .NET Framework 4.0[1](KB2416472) Information Disclosure Important None
Windows 7 for x64-based Systems Microsoft .NET Framework 3.5.1 (KB2416471) Microsoft .NET Framework 4.0[1](KB2416472) Information Disclosure Important None
Windows 7 for x64-based Systems Service Pack 1 Microsoft .NET Framework 4.0[1](KB2416472) Information Disclosure Important None
Windows Server 2008 R2
Windows Server 2008 R2 for x64-based Systems Microsoft .NET Framework 3.5.1* (KB2416471) Microsoft .NET Framework 4.0[1](KB2416472) Information Disclosure Important None
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Microsoft .NET Framework 4.0*[1](KB2416472) Information Disclosure Important None
Windows Server 2008 R2 for Itanium-based Systems Microsoft .NET Framework 3.5.1 (KB2416471) Microsoft .NET Framework 4.0[1](KB2416472) Information Disclosure Important None
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Microsoft .NET Framework 4.0[1](KB2416472) Information Disclosure Important None

*Server Core installation affected. This update applies, with the same severity rating, to supported editions of Windows Server 2008 R2 as indicated, whether or not installed using the Server Core installation option. For more information on this installation option, see the TechNet articles, Managing a Server Core Installation and Servicing a Server Core Installation. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.

**Server Core installation not affected. The vulnerabilities addressed by this update do not affect supported editions of Windows Server 2008 as indicated, when installed using the Server Core installation option. For more information on this installation option, see the TechNet articles, Managing a Server Core Installation and Servicing a Server Core Installation. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.

[1].NET Framework 4.0 Client Profile not affected. The .NET Framework version 4 redistributable packages are available in two profiles: .NET Framework 4.0 and .NET Framework 4.0 Client Profile. The .NET Framework 4.0 Client Profile is a subset of the .NET Framework 4.0. The vulnerability addressed in this update affects only the .NET Framework 4.0 and not the .NET Framework 4.0 Client Profile. For more information, see: Installing the .NET Framework.

Non-Affected Software

Operating System Component
Microsoft .NET Framework 1.0 Service Pack 3
Windows XP Service Pack 3 Microsoft .NET Framework 1.0 Service Pack 3 (Windows XP Media Center Edition 2005 and Windows XP Tablet PC Edition 2005 only)
Microsoft .NET Framework 3.5.1
Windows 7 for 32-bit Systems Service Pack 1 Microsoft .NET Framework 3.5.1
Windows 7 for x64-based Systems Service Pack 1 Microsoft .NET Framework 3.5.1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Microsoft .NET Framework 3.5.1
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Microsoft .NET Framework 3.5.1

Why was this bulletin revised on February 22, 2011?
Microsoft revised this security bulletin to announce a detection change to offer the Microsoft .NET Framework 4.0 (KB2416472) update packages to systems running Windows 7 for 32-bit Systems Service Pack 1, Windows 7 for x64-based Systems Service Pack 1, Windows Server 2008 R2 for x64-based Systems Service Pack 1, and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1. This detection change only applies to customers who install Microsoft .NET Framework 4.0 after installing Windows 7 for 32-bit Systems Service Pack 1, Windows 7 for x64-based Systems Service Pack 1, Windows Server 2008 R2 for x64-based Systems Service Pack 1, or Windows Server 2008 R2 for Itanium-based Systems Service Pack 1. Customers who have already successfully updated their systems do not need to take any action.

Why was this bulletin revised on December 14, 2010?
Microsoft revised this security bulletin to announce that new update packages are available for Microsoft .NET Framework 4.0 (KB2416472). These new packages correct an issue in the setup that could interfere with the successful installation of other updates. For customers who may have an installation of another product or update that may have been affected by this issue, please see Microsoft Knowledge Base Article 2473228 for additional information. Customers who have already successfully updated their systems do not need to take any action.

I have .NET Framework 3.0 Service Pack 2 installed; this version is not listed among the affected software in this bulletin. Do I need to install an update?
This bulletin describes a vulnerability in the .NET Framework 2.0 and the .NET Framework 3.5 feature layers. The .NET Framework 3.0 Service Pack 2 installer chains in the .NET Framework 2.0 Service Pack 2 setup, so installing the former also installs the latter. Therefore, customers who have .NET Framework 3.0 Service Pack 2 installed need to install security updates for .NET Framework 2.0 Service Pack 2.

I have .NET Framework 3.5 installed. Do I need to install any additional updates?
This bulletin describes a vulnerability in the .NET Framework 2.0 and the .NET Framework 3.5 feature layers. The .NET Framework 3.5 installer chains in both the .NET Framework 2.0 Service Pack 1 setup and the .NET Framework 3.0 Service Pack 1 setup. Therefore, customers who have .NET Framework 3.5 installed also need to install security updates for .NET Framework 2.0 Service Pack 1 in addition to the updates for .NET Framework 3.5.

To help determine if there are any additional versions of the .NET Framework installed on your system, see the FAQ entry, "How do I determine which version of the Microsoft .NET Framework is installed," later in this section.

I have .NET Framework 3.5 Service Pack 1 installed. Do I need to install any additional updates?
This bulletin describes a vulnerability in the .NET Framework 2.0 and the .NET Framework 3.5 feature layers. The .NET Framework 3.5 Service Pack 1 installer chains in both the .NET Framework 2.0 Service Pack 2 setup and the .NET Framework 3.0 Service Pack 2 setup. Therefore, customers who have .NET Framework 3.5 Service Pack 1 installed also need to install security updates for .NET Framework 2.0 Service Pack 2.

To help determine if there are any additional versions of the .NET Framework installed on your system, see the FAQ entry, "How do I determine which version of the Microsoft .NET Framework is installed," later in this section.

Why was this bulletin revised on September 30, 2010?
Microsoft revised this bulletin to announce that the updates are now available through all distribution channels, including Microsoft Update and Windows Update. Additionally, the following clarifications and corrections were also included in this revision:

  • Made the following corrections to the Affected Software table:
    • The bulletin description for update KB2418241 was corrected to include .NET Framework 3.5 Service Pack 1 on Windows XP and Windows Server 2003 systems. This was a bulletin change only. Customers who have successfully installed update KB2418241 do not need to reinstall. Customers running .NET Framework 3.5 Service Pack 1 on Windows XP or Windows Server 2003 systems who have not installed update KB2418241 should apply the update at the earliest opportunity, even if they have already applied update KB2416473 for .NET Framework 3.5 Service Pack 1. Customers should apply all updates offered for the software installed on their systems.
    • The bulletin description for update KB2416474 was corrected to include .NET Framework 3.5 Service Pack 1 on Windows Vista and Windows Server 2008 systems. This was a bulletin change only. Customers who have successfully installed update KB2416474 do not need to reinstall. Customers running .NET Framework 3.5 Service Pack 1 on Windows Vista or Windows Server 2008 systems who have not installed update KB2416474 should apply the update at the earliest opportunity, even if they have already applied update KB2416473 for .NET Framework 3.5 Service Pack 1. Customers should apply all updates offered for the software installed on their systems.
    • The bulletin description for update KB2416470 was corrected to include Microsoft .NET Framework 3.5 and Microsoft .NET Framework 3.5 Service Pack 1 on Windows Vista and Windows Server 2008 systems. This was a bulletin change only. Customers who have successfully installed update KB2416470 do not need to reinstall. Customers running .NET Framework 3.5 and Microsoft .NET Framework 3.5 Service Pack 1 on Windows Vista or Windows Server 2008 systems who have not installed update KB2416470 should apply the update at the earliest opportunity, even if they have already applied update KB2418240 for .NET Framework 3.5 and update KB2416473 for .NET Framework 3.5 Service Pack 1. Customers should apply all updates offered for the software installed on their systems.
    • Update KB2418240 was listed as an additional update for .NET Framework 3.5 for Windows XP, Windows Server 2003, Windows Vista Service Pack 1, and Windows Server 2008 systems. This was a bulletin change only. Customers who have successfully installed update KB2418240 do not need to reinstall. Customers running .NET Framework 3.5 on Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 systems who have not installed update KB2418240 should apply the update at the earliest opportunity, even if they have already applied a different update for .NET Framework 3.5. Customers should apply all updates offered for the software installed on their systems.
  • Added the FAQ, "How do I determine which version of the Microsoft .NET Framework is installed?" in this section.
  • Added the FAQ, "There are two updates listed for the version of the Microsoft .NET Framework installed on my system. Do I need to install both updates?" in this section.
  • Added the FAQ, "Do I need to install these security updates in a particular sequence?" in this section.

How do I determine which version of the Microsoft .NET Framework is installed?
You can install and run multiple versions of the .NET Framework on a system, and you can install the versions in any order. There are several ways to determine which versions of the .NET Framework are currently installed. For more information, please see Microsoft Knowledge Base Article 318785.

There are two updates listed for the version of the Microsoft .NET Framework installed on my system. Do I need to install both updates?
Yes. Customers should apply all updates offered for the software installed on their systems.

Do I need to install these security updates in a particular sequence?
No. Multiple updates for one version of the .NET Framework can be applied in any sequence. We recommend that multiple updates for different versions of the .NET Framework be applied in sequence from lowest version number to highest, however that sequence isn't required.

Where are the file information details?
Refer to the reference tables in the Security Update Deployment section for the location of the file information details.

I am using an older release of the software discussed in this security bulletin. What should I do?
The affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, visit the Microsoft Support Lifecycle Web site.

It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Lifecycle Supported Service Packs.

Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.

Vulnerability Information

Severity Ratings and Vulnerability Identifiers

The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the September bulletin summary. For more information, see Microsoft Exploitability Index.

Affected Software ASP.NET Padding Oracle Vulnerability - CVE-2010-3332 Aggregate Severity Rating
Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 1.1 Service Pack 1 when installed on Windows XP Service Pack 3 Important  Information Disclosure Important
Microsoft .NET Framework 1.1 Service Pack 1 when installed on Windows XP Professional x64 Edition Service Pack 2 Important  Information Disclosure Important
Microsoft .NET Framework 1.1 Service Pack 1 on Windows Server 2003 Service Pack 2 Important  Information Disclosure Important
Microsoft .NET Framework 1.1 Service Pack 1 when installed on Windows Server 2003 x64 Edition Service Pack 2 Important  Information Disclosure Important
Microsoft .NET Framework 1.1 Service Pack 1 when installed on Windows Server 2003 Itanium-based Edition Service Pack 2 Important  Information Disclosure Important
Microsoft .NET Framework 1.1 Service Pack 1 when installed on Windows Vista Service Pack 1 and Windows Vista Service Pack 2 Important  Information Disclosure Important
Microsoft .NET Framework 1.1 Service Pack 1 when installed on Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2 Important  Information Disclosure Important
Microsoft .NET Framework 1.1 Service Pack 1 when installed on Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2** Important  Information Disclosure Important
Microsoft .NET Framework 1.1 Service Pack 1 when installed on Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2** Important  Information Disclosure Important
Microsoft .NET Framework 1.1 Service Pack 1 when installed on Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 Important  Information Disclosure Important
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 1 on Windows Vista Service Pack 1 Important  Information Disclosure Important
Microsoft .NET Framework 2.0 Service Pack 1 on Windows Vista x64 Edition Service Pack 1 Important  Information Disclosure Important
Microsoft .NET Framework 2.0 Service Pack 1 on Windows Server 2008 for 32-bit Systems** Important  Information Disclosure Important
Microsoft .NET Framework 2.0 Service Pack 1 on Windows Server 2008 for x64-based Systems** Important  Information Disclosure Important
Microsoft .NET Framework 2.0 Service Pack 1 on Windows Server 2008 for Itanium-based Systems Important  Information Disclosure Important
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 2.0 Service Pack 2 when installed on Windows XP Service Pack 3 Important  Information Disclosure Important
Microsoft .NET Framework 2.0 Service Pack 2 when installed on Windows XP Professional x64 Edition Service Pack 2 Important  Information Disclosure Important
Microsoft .NET Framework 2.0 Service Pack 2 when installed on Windows Server 2003 Service Pack 2 Important  Information Disclosure Important
Microsoft .NET Framework 2.0 Service Pack 2 when installed on Windows Server 2003 x64 Edition Service Pack 2 Important  Information Disclosure Important
Microsoft .NET Framework 2.0 Service Pack 2 when installed on Windows Server 2003 with SP2 for Itanium-based Systems Important  Information Disclosure Important
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Vista Service Pack 2 Important  Information Disclosure Important
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Vista x64 Edition Service Pack 2 Important  Information Disclosure Important
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2** Important  Information Disclosure Important
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2** Important  Information Disclosure Important
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for Itanium-based Systems Service Pack 2 Important  Information Disclosure Important
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 when installed on Windows XP Service Pack 3 Important  Information Disclosure Important
Microsoft .NET Framework 3.5 when installed on Windows XP Professional x64 Edition Service Pack 2 Important  Information Disclosure Important
Microsoft .NET Framework 3.5 when installed on Windows Server 2003 Service Pack 2 Important  Information Disclosure Important
Microsoft .NET Framework 3.5 when installed on Windows Server 2003 x64 Edition Service Pack 2 Important  Information Disclosure Important
Microsoft .NET Framework 3.5 when installed on Windows Server 2003 with SP2 for Itanium-based Systems Important  Information Disclosure Important
Microsoft .NET Framework 3.5 when installed on Windows Vista Service Pack 1 and Windows Vista Service Pack 2 Important  Information Disclosure Important
Microsoft .NET Framework 3.5 when installed on Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2 Important  Information Disclosure Important
Microsoft .NET Framework 3.5 when installed on Windows Server 2008 for 32-bit Systems** Important  Information Disclosure Important
Microsoft .NET Framework 3.5 when installed on Windows Server 2008 for x64-based Systems** Important  Information Disclosure Important
Microsoft .NET Framework 3.5 when installed on Windows Server 2008 for Itanium-based Systems Important  Information Disclosure Important
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows XP Service Pack 3 Important  Information Disclosure Important
Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows XP Professional x64 Edition Service Pack 2 Important  Information Disclosure Important
Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows Server 2003 Service Pack 2 Important  Information Disclosure Important
Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows Server 2003 x64 Edition Service Pack 2 Important  Information Disclosure Important
Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows Server 2003 with SP2 for Itanium-based Systems Important  Information Disclosure Important
Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows Vista Service Pack 1 and Windows Vista Service Pack 2 Important  Information Disclosure Important
Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2 Important  Information Disclosure Important
Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2** Important  Information Disclosure Important
Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2** Important  Information Disclosure Important
Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 Important  Information Disclosure Important
Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 3.5.1 on Windows 7 for 32-bit Systems Important  Information Disclosure Important
Microsoft .NET Framework 3.5.1 on Windows 7 for x64-based Systems Important  Information Disclosure Important
Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems* Important  Information Disclosure Important
Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for Itanium-based Systems Important  Information Disclosure Important
Microsoft .NET Framework 4.0
Microsoft .NET Framework 4.0 on Windows XP Service Pack 3 Important  Information Disclosure Important
Microsoft .NET Framework 4.0 on Windows XP Professional x64 Edition Service Pack 2 Important  Information Disclosure Important
Microsoft .NET Framework 4.0 on Windows Server 2003 Service Pack 2 Important  Information Disclosure Important
Microsoft .NET Framework 4.0 on Windows Server 2003 x64 Edition Service Pack 2 Important  Information Disclosure Important
Microsoft .NET Framework 4.0 on Windows Server 2003 with SP2 for Itanium-based Systems Important  Information Disclosure Important
Microsoft .NET Framework 4.0 on Windows Vista Service Pack 2 Important  Information Disclosure Important
Microsoft .NET Framework 4.0 on Windows Vista x64 Edition Service Pack 2 Important  Information Disclosure Important
Microsoft .NET Framework 4.0 on Windows Server 2008 for 32-bit Systems Service Pack 2** Important  Information Disclosure Important
Microsoft .NET Framework 4.0 on Windows Server 2008 for x64-based Systems Service Pack 2** Important  Information Disclosure Important
Microsoft .NET Framework 4.0 on Windows Server 2008 for Itanium-based Systems Service Pack 2 Important  Information Disclosure Important
Microsoft .NET Framework 4.0 on Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1 Important  Information Disclosure Important
Microsoft .NET Framework 4.0 on Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1 Important  Information Disclosure Important
Microsoft .NET Framework 4.0 on Windows Server 2008 R2 for x64-based Systems Important  Information Disclosure Important
Microsoft .NET Framework 4.0 on Windows Server 2008 R2 for x64-based Systems Service Pack 1* Important  Information Disclosure Important
Microsoft .NET Framework 4.0 on Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Important  Information Disclosure Important

*Server Core installation affected. This update applies, with the same severity rating, to supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, whether or not installed using the Server Core installation option. For more information on this installation option, see the TechNet articles, Managing a Server Core Installation and Servicing a Server Core Installation. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.

**Server Core installation not affected. The vulnerabilities addressed by this update do not affect supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, when installed using the Server Core installation option. For more information on this installation option, see the TechNet articles, Managing a Server Core Installation and Servicing a Server Core Installation. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.

ASP.NET Padding Oracle Vulnerability - CVE-2010-3332

An information disclosure vulnerability exists in ASP.NET due to improper error handling during encryption padding verification. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system. In Microsoft .NET Framework 3.5 Service Pack 1 and above, this vulnerability can also be used by an attacker to retrieve the contents of any file within the ASP.NET application, including web.config.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2010-3332.

Mitigating Factors for ASP.NET Padding Oracle Vulnerability - CVE-2010-3332

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

  • Microsoft .NET Framework versions prior to Microsoft .NET Framework 3.5 Service Pack 1 are not affected by the file content disclosure portion of this vulnerability.

Workarounds for ASP.NET Padding Oracle Vulnerability - CVE-2010-3332

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

  • Enable a UrlScan or Request Filtering rule, enable ASP.NET custom errors, and map all error codes to the same error page

    Enabling the customErrors feature of ASP.NET and explicitly configuring applications to always return the same error page, regardless of the error encountered on the server, can make it more difficult for an attacker using the current exploit to distinguish between the different types of errors that occur on a server.

    On systems using the .NET Framework version 3.5 Service Pack 1 and above, the workaround provides further protection by also helping to protect against the timing attack portion of the current exploit. The workaround uses the redirectMode="ResponseRewrite" option in the customErrors feature, and introduces a random delay in the error page. These approaches work together to make it more difficult for an attacker to deduce the type of error that occurred on the server by measuring the time it took to receive the error.

    Additionally, this workaround requires blocking requests that specify the application error path on the querystring. This can be done using URLScan, a free tool for Internet Information Services (IIS) that can selectively block requests based on rules defined by the administrator. If your system is running Internet Information Services (IIS) on Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows 7, or Windows Server 2008 R2, you can alternatively use the Request Filtering feature.

    Block requests that modify ASP.Net application error path on the request querystring

    Using UrlScan:

    1. Download and install UrlScan 3.1. For further instructions on configuring and using UrlScan, see UrlScan 3 Reference.

    2. Modify UrlScan.ini (found in %windir%\system32\inetsrv\urlscan). Insert the following line under the [DenyQueryStringSequences] section of the Urlscan.ini file:

    aspxerrorpath=

    After you do so, the [DenyQueryStringSequences] section should look similar to this (additional lines in the section are okay and do not affect the workaround):

    [DenyQueryStringSequences]
    aspxerrorpath=
    
    1. Run iisreset from a command prompt while logged in as an administrator.

    Using IIS request filtering:

    These instructions are an alternative for the UrlScan instructions above for systems running IIS on Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows 7, or Windows Server 2008 R2.

    1. Install the Request Filtering feature in IIS through either Add/Remove Programs or Role Manger by selecting the feature under Internet Information Services, World Wide Web Services, Security.

    2. Launch Internet Information Services (IIS) Manager.

    3. Select the server node in the left pane.

    4. Double-click Request Filtering.

    5. Select the Query Strings tab and click Deny Query String … in the Actions pane.

    6. Enter aspxerrorpath= in the dialog box and select OK.

    Alternatively, you can also use the following appcmd command to set this request querystring:

    appcmd set config /section:requestfiltering /+denyQueryStringSequences.[sequence='aspxerrorpath=']

    For more information on using appcmd to configure IIS, see Getting Started with AppCmd.exe.

    Configure ASP.Net applications to use uniform custom errors

    In the root folder of each ASP.NET web application, determine if you already have a web.config file in this folder. You must have rights to create a file in the target directory to implement this workaround.

    If the ASP.NET application does not have a web.config file:

    On .NET Framework 3.5 and earlier

    1. Create a text file named web.config in the root folder of the ASP.NET application, and insert the following contents:
    <configuration>
    
```
2. Create a text file named **error.html** containing a generic error message and save it in the root folder of the ASP.NET application.

3. Alternatively, you can rename error.html in the **web.config** file to point to an existing error page, but that page must display generic content, not context-specific content.

**On .NET Framework 3.5 Service Pack 1 and later**

1. Create a text file named **web.config** in the root folder of the ASP.NET application, and insert the following contents:

```
<configuration>
```
2. If you are comfortable using C\#, we recommend using the following **ErrorPage.aspx** file:

```
<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>
```
```
<script runat="server">
void Page_Load() {
byte[] delay = new byte[1];
RandomNumberGenerator prng = new RNGCryptoServiceProvider();

prng.GetBytes(delay);
Thread.Sleep((int)delay[0]);

IDisposable disposable = prng as IDisposable;
if (disposable != null) { disposable.Dispose(); }
}
</script>
```
```
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
```
```
<html xmlns="https://www.w3.org/1999/xhtml">
``` 3. If you are comfortable using Visual Basic .NET, we recommend using the following **ErrorPage.aspx** file:
```
<%@ Page Language="VB" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>
```
```
<script runat="server">
Sub Page_Load()
Dim delay As Byte() = New Byte(0) {}
Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider()  

prng.GetBytes(delay)
Thread.Sleep(CType(delay(0), Integer))

Dim disposable As IDisposable = TryCast(prng, IDisposable)
If Not disposable Is Nothing Then
disposable.Dispose()
End If
End Sub
</script>
```
```
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
```
```
<html xmlns="https://www.w3.org/1999/xhtml">
```
If the ASP.NET application already has a **web.config** file:

**On .NET Framework 3.5 RTM and earlier**

1. Insert the bracketed text in the sample below into your existing **web.config** file:

```
<?xml version='1.0' encoding='utf-8'?>
[<location allowoverride="false">

<system.web> </system.web> ]

<system.web>
...
</system.web>

<system.codedom> ... </system.codedom> ```

2. Create a text file named **error.html** containing a generic error message and save it in the root folder of the ASP.NET application.

3. Alternatively, you can rename error.html in the **web.config** file to point to an existing error page, but that page must display generic content, not context-specific content.

**On .NET Framework 3.5 Service Pack 1 and later**

1. Insert the bracketed text in the sample below into your existing **web.config** file:

```
<?xml version='1.0' encoding='utf-8'?>
[<location allowoverride="false">

<system.web> </system.web> ]

</configuration>

<system.web> ... </system.web> <system.codedom> ... </system.codedom>

```

2. If you are comfortable using C\#, we recommend using the following **ErrorPage.aspx** file:

```
<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>    
```
```
<script runat="server">
void Page_Load() {
byte[] delay = new byte[1];
RandomNumberGenerator prng = new RNGCryptoServiceProvider();

prng.GetBytes(delay);
Thread.Sleep((int)delay[0]);

IDisposable disposable = prng as IDisposable;
if (disposable != null) { disposable.Dispose(); }
}
</script>
```
```
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
```
```
<html xmlns="https://www.w3.org/1999/xhtml">
```
3. If you are comfortable using Visual Basic .NET, we recommend using the following **ErrorPage.aspx** file:

```
<%@ Page Language="VB" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>
```
```
<script runat="server">
Sub Page_Load()
Dim delay As Byte() = New Byte(0) {}
Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider()

prng.GetBytes(delay)
Thread.Sleep(CType(delay(0), Integer))

Dim disposable As IDisposable = TryCast(prng, IDisposable)
If Not disposable Is Nothing Then
disposable.Dispose()
End If
End Sub
</script>
```
```
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
```
```
<html xmlns="https://www.w3.org/1999/xhtml">
```
**Impact of Workaround:** If an error occurs during a Web transaction, the Web clients will see the same generic error message on the server, regardless of what error actually occurs. Additionally, any requests for Web pages which contain the string **aspxerrropath=** in the querystring portion of the URL will be blocked, and an HTTP error message returned to the client.

FAQ for ASP.NET Padding Oracle Vulnerability - CVE-2010-3332

What is the scope of the vulnerability?
This is an information disclosure vulnerability. An attacker who successfully exploited this vulnerability would be able to read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. In Microsoft .NET Framework 3.5 Service Pack 1 and above, this vulnerability can also be used by an attacker to retrieve the contents of any file within the ASP.NET application, including web.config. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system.

What causes the vulnerability?
The ASP.NET use of encryption padding provides information in error responses that can be used by an attacker to read and tamper with the encrypted data.

What is ASP.NET?
ASP.NET is a collection of technologies within the Microsoft .NET Framework that enable developers to build Web applications and XML Web Services.

Unlike traditional Web pages, which use a combination of static HTML and scripting, ASP.NET uses compiled, event-driven pages. Because ASP.NET is a Web-based application environment, requiring an underlying Web server to provide basic HTTP functionality, ASP.NET runs on top of Internet Information Services (IIS). For more information, see The Official Microsoft ASP.NET Site.

What is ASP.NET View State?
Microsoft ASP.NET View State is the technique used by an ASP.NET Web page to persist changes to the state of a Web Form across postbacks. The View State of a page is, by default, placed in a hidden form field named __VIEWSTATE. For more information on ASP.NET View State, see MSDN article, Understanding ASP.NET View State.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability would be able to read data, such as the view state, which was encrypted by the server. The attacker may then be able to read the contents of any file within the web site directory or subdirectories, such as web.config. The web.config file often stores sensitive information. The consequences of the disclosure of that information depend on the nature of the information itself.

An attacker who successfully exploited this vulnerability could also read data from files on the target server which exist in the website directory or subdirectories.

How could an attacker exploit the vulnerability?
To exploit this vulnerability, an attacker would send cipher text via a Web request to an affected server to determine whether the text was decrypted properly by examining the error code returned by the website. An attacker who made enough of these requests could learn enough information to read or tamper with the encrypted data.

What systems are primarily at risk from the vulnerability?
Web servers with ASP.NET installed are at risk from this vulnerability.

Am I vulnerable if I have a custom logging module that redirects to an error page instead of using the workaround listed below?
If the responses that are sent out from your custom logging module do not let the client distinguish between error responses either through its content or time that it takes to serve out, then such a module is an adequate replacement for the customErrors workaround. These responses include both the entire HTTP response and the HTTP error code. If any of the above is not true at all times, then this is not sufficient.

Can I create a custom 404 page and a default redirect for all other errors to help protect against this issue?
No. An attacker could still draw a distinction between a 404 error and other errors. Homogenizing errors is a crucial component to help protect against this attack.

Should I be concerned about this vulnerability if I don't store any sensitive information in my View State?
Yes. If you are storing sensitive information in any file in the web application, this vulnerability could be used to disclose the contents of that file to an attacker.

What are best practices to secure my data within the web.config file?
It is best practice to encrypt sensitive configuration data within web.config files. For detailed information on encrypting configuration sections, see MSDN article, Encrypting and Decrypting Configuration Sections.

Does this issue affect both ASP.NET Web Form and ASP.NET MVC Web applications?
Yes. The publicly disclosed exploit can be used against all types of ASP.NET applications, including both Web Forms and MVC. For additional information on ASP.NET MVC, see MSDN article, ASP.NET MVC Overview.

Are other applications built on the ASP.NET platform, such as SharePoint and Exchange, affected by this issue?
All applications that rely on the ASP.NET platform are affected by this issue. Administrators of these applications should follow the recommendations outlined in this advisory.

Will switching to Triple DES encryption instead of AES encryption help protect my ASP.NET application?
No. The cryptographic vulnerability being presented involves revealing cryptographic padding errors to a client for algorithms that use PKCS #7 padding. Since Triple DES shares this padding mode with AES, switching to Triple DES will not protect against this vulnerability.

What is Triple DES (3DES)?
Triple DES (3DES) is an implementation of Data Encryption Standard (DES) encryption that employs three iterations of cryptographic operations on each segment of data. Each iteration uses a 56-bit key for encryption, which yields 168-bit encryption for the data. Although 3DES is slower than DES because of the additional cryptographic calculations, its protection is far stronger than DES.

What is Advanced Encryption Standard (AES)?
Advanced Encryption Standard (AES) is a form of encryption that was adopted by the United States government in 2001. AES provides more secure encryption than its predecessor, Data Encryption Standard (DES).

What is PKCS #7 padding?
The Public Key Cryptography Standard (PKCS) #7 is a general syntax for data to which cryptography may be applied, such as digital signatures and encryption. It also provides a syntax for disseminating certificates or certificate revocation lists and other message attributes, such as time stamps, to the message. The PKCS #7 padding string consists of a sequence of bytes, each of which is equal to the total number of padding bytes added.

Does this issue affect Oracle database products?
No. The issue is not related to any database products. The word "oracle" in this case refers to a cryptographic term.

What does the update do?
The update addressed the vulnerability by signing all data that is encrypted by ASP.NET.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2010-3332.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
Yes. Microsoft is aware of limited, targeted attacks attempting to exploit the vulnerability.

Update Information

Detection and Deployment Tools and Guidance

Manage the software and security updates you need to deploy to the servers, desktop, and mobile systems in your organization. For more information see the TechNet Update Management Center. The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.

Security updates are available from Microsoft Update and Windows Update. Security updates are also available from the Microsoft Download Center. You can find them most easily by doing a keyword search for "security update."

Finally, security updates can be downloaded from the Microsoft Update Catalog. The Microsoft Update Catalog provides a searchable catalog of content made available through Windows Update and Microsoft Update, including security updates, drivers and service packs. By searching using the security bulletin number (such as, "MS07-036"), you can add all of the applicable updates to your basket (including different languages for an update), and download to the folder of your choosing. For more information about the Microsoft Update Catalog, see the Microsoft Update Catalog FAQ.

Detection and Deployment Guidance

Microsoft provides detection and deployment guidance for security updates. This guidance contains recommendations and information that can help IT professionals understand how to use various tools for detection and deployment of security updates. For more information, see Microsoft Knowledge Base Article 961747.

Microsoft Baseline Security Analyzer

Microsoft Baseline Security Analyzer (MBSA) allows administrators to scan local and remote systems for missing security updates as well as common security misconfigurations. For more information about MBSA, visit Microsoft Baseline Security Analyzer.

The following table provides the MBSA detection summary for this security update.

Software MBSA
Windows XP Service Pack 3 Yes
Windows XP Professional x64 Edition Service Pack 2 Yes
Windows Server 2003 Service Pack 2 Yes
Windows Server 2003 x64 Edition Service Pack 2 Yes
Windows Server 2003 with SP2 for Itanium-based Systems Yes
Windows Vista Service Pack 1 and Windows Vista Service Pack 2 Yes
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2 Yes
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 Yes
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 Yes
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 Yes
Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1 Yes
Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1 Yes
Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1 Yes
Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Yes

Note For customers using legacy software not supported by the latest release of MBSA, Microsoft Update, and Windows Server Update Services, please visit Microsoft Baseline Security Analyzer and reference the Legacy Product Support section on how to create comprehensive security update detection with legacy tools.

Windows Server Update Services

Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates to computers that are running the Windows operating system. For more information about how to deploy security updates using Windows Server Update Services, see the TechNet article, Windows Server Update Services.

Systems Management Server

The following table provides the SMS detection and deployment summary for this security update.

Software SMS 2.0 SMS 2003 with SUIT SMS 2003 with ITMU Configuration Manager 2007
Windows XP Service Pack 3 No No Yes Yes
Windows XP Professional x64 Edition Service Pack 2 No No Yes Yes
Windows Server 2003 Service Pack 2 No No Yes Yes
Windows Server 2003 x64 Edition Service Pack 2 No No Yes Yes
Windows Server 2003 with SP2 for Itanium-based Systems No No Yes Yes
Windows Vista Service Pack 1 and Windows Vista Service Pack 2 No No Yes Yes
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2 No No Yes Yes
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 No No Yes Yes
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 No No Yes Yes
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 No No Yes Yes
Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1 No No Yes Yes
Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1 No No Yes Yes
Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1 No No Yes Yes
Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 No No Yes Yes

For SMS 2.0 and SMS 2003, the Security Update Inventory Tool (SUIT) can be used by SMS to detect security updates. See also Downloads for Systems Management Server 2.0.

For SMS 2003, the SMS 2003 Inventory Tool for Microsoft Updates (ITMU) can be used by SMS to detect security updates that are offered by Microsoft Update and that are supported by Windows Server Update Services. For more information about the SMS 2003 ITMU, see SMS 2003 Inventory Tool for Microsoft Updates. For more information about SMS scanning tools, see SMS 2003 Software Update Scanning Tools. See also Downloads for Systems Management Server 2003.

System Center Configuration Manager 2007 uses WSUS 3.0 for detection of updates. For more information about Configuration Manager 2007 Software Update Management, visit System Center Configuration Manager 2007.

For more information about SMS, visit the SMS Web site.

For more detailed information, see Microsoft Knowledge Base Article 910723: Summary list of monthly detection and deployment guidance articles.

Update Compatibility Evaluator and Application Compatibility Toolkit

Updates often write to the same files and registry settings required for your applications to run. This can trigger incompatibilities and increase the time it takes to deploy security updates. You can streamline testing and validating Windows updates against installed applications with the Update Compatibility Evaluator components included with Application Compatibility Toolkit.

The Application Compatibility Toolkit (ACT) contains the necessary tools and documentation to evaluate and mitigate application compatibility issues before deploying Microsoft Windows Vista, a Windows Update, a Microsoft Security Update, or a new version of Windows Internet Explorer in your environment.

Security Update Deployment

Affected Software

For information about the specific security update for your affected software, click the appropriate link:

Windows XP (all editions)

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Inclusion in Future Service Packs The update for this issue will be included in a future service pack or update rollup
Deployment
Installing without user intervention For Microsoft .NET Framework 1.1 Service Pack 1 on Windows XP 32-bit systems:\ NDP1.1SP1-KB2416447-x86.exe /qn
For Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 on Windows XP 32-bit systems:\ NDP20SP2-KB2418241-x86.exe /q
For Microsoft .NET Framework 3.5 on Windows XP 32-bit systems:\ NDP20SP1-KB2416468-x86.exe /q
For Microsoft .NET Framework 3.5 on Windows XP 32-bit systems:\ NDP35-KB2418240-x86.exe /quiet
For Microsoft .NET Framework 3.5 Service Pack 1 on Windows XP 32-bit systems:\ NDP35SP1-KB2416473-x86.exe /q
For Microsoft .NET Framework 4.0 on Windows XP 32-bit systems:\ NDP40-KB2416472-x86.exe /q
For Microsoft .NET Framework 1.1 Service Pack 1 on Windows XP Professional Edition x64 Edition Service Pack 2:\ NDP1.1SP1-KB2416447-x86.exe /qn
For Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 on Windows XP Professional Edition x64 Edition Service Pack 2:\ NDP20SP2-KB2418241-x64.exe /q
For Microsoft .NET Framework 3.5 on Windows XP Professional Edition x64 Edition Service Pack 2:\ NDP20SP1-KB2416468-x64.exe /q
For Microsoft .NET Framework 3.5 on Windows XP Professional Edition x64 Edition Service Pack 2:\ NDP35-KB2418240-x64.exe /quiet
For Microsoft .NET Framework 3.5 Service Pack 1 on Windows XP Professional Edition x64 Edition Service Pack 2:\ NDP35SP1-KB2416473-x64.exe /q
For Microsoft .NET Framework 4.0 on Windows XP Professional Edition x64 Edition Service Pack 2:\ NDP40-KB2416472-x64.exe /q
Installing without restarting For Microsoft .NET Framework 1.1 Service Pack 1 on Windows XP 32-bit systems:\ NDP1.1SP1-KB2416447-x86.exe /quiet /norestart /er
For Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 on Windows XP 32-bit systems:\ NDP20SP2-KB2418241-x86.exe /q /norestart
For Microsoft .NET Framework 3.5 on Windows XP 32-bit systems:\ NDP20SP1-KB2416468-x86.exe /quiet /norestart
For Microsoft .NET Framework 3.5 on Windows XP 32-bit systems:\ NDP35-KB2418240-x86.exe /quiet /norestart
For Microsoft .NET Framework 3.5 Service Pack 1 on Windows XP 32-bit systems:\ NDP35SP1-KB2416473-x86.exe /quiet /norestart
For Microsoft .NET Framework 4.0 on Windows XP 32-bit systems:\ NDP40-KB2416472-x86.exe /q /norestart
For Microsoft .NET Framework 1.1 Service Pack 1 on Windows XP Professional Edition x64 Edition Service Pack 2:\ NDP1.1SP1-KB2416447-x86.exe /quiet /norestart /er
For Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 on Windows XP Professional Edition x64 Edition Service Pack 2:\ NDP20SP2-KB2418241-x64.exe /q /norestart
For Microsoft .NET Framework 3.5 on Windows XP Professional Edition x64 Edition Service Pack 2:\ NDP20SP1-KB2416468-x64.exe /quiet /norestart
For Microsoft .NET Framework 3.5 on Windows XP Professional Edition x64 Edition Service Pack 2:\ NDP35-KB2418240-x64.exe /quiet /norestart
For Microsoft .NET Framework 3.5 Service Pack 1 on Windows XP Professional Edition x64 Edition Service Pack 2:\ NDP35SP1-KB2416473-x64.exe /quiet /norestart
For Microsoft .NET Framework 4.0 on Windows XP Professional Edition x64 Edition Service Pack 2:\ NDP40-KB2416472-x64.exe /q /norestart
Update log file For Microsoft .NET Framework 1.1 Service Pack 1:\ NDP1.1SP1-KB2416447-x86-msi.0.log\ NDP1.1SP1-KB2416447-x86-wrapper.log
For Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1:\ Microsoft .NET Framework 2.0-KB2418241_-msi0.txt\ Microsoft .NET Framework 2.0-KB2418241_.html
For Microsoft .NET Framework 3.5:\ Microsoft .NET Framework 2.0-KB2416468_-msi0.txt\ Microsoft .NET Framework 2.0-KB2416468_.html Microsoft .NET Framework 2.0-KB 2418240 _-msi0.txt\ Microsoft .NET Framework 2.0-KB 2418240 _.html
For Microsoft .NET Framework 3.5 Service Pack 1:\ Microsoft .NET Framework 2.0-KB2416473_-msi0.txt\ Microsoft .NET Framework 2.0-KB2416473_.html
For Microsoft .NET Framework 4.0:\ Microsoft .NET Framework 2.0-KB2416472_-msi0.txt\ Microsoft .NET Framework 2.0-KB2416472_.html
Further information See the subsection, Detection and Deployment Tools and Guidance
Restart Requirement
Restart required? In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.\ \ To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012.
HotPatching Not applicable
Removal Information For all supported versions of Microsoft .NET Framework, use the Add or Remove Programs tool in Control Panel.
File Information See Microsoft Knowledge Base Article 2418042
Registry Key Verification For Microsoft .NET Framework 1.1 Service Pack 1:\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates.NETFramework\1.1\M2416447\ "Installed" = dword:1
For Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1:\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 2.0 Service Pack 2\SP2\KB2418241\ "ThisVersionInstalled" = "Y"
For Microsoft .NET Framework 3.5:\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 2.0 Service Pack 1\SP1\KB2416468\ "ThisVersionInstalled" = "Y"\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 3.5\KB2418240\ "ThisVersionInstalled" = "Y"
For Microsoft .NET Framework 3.5 Service Pack 1:\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 3.5 SP1\SP1\KB2416473\ "ThisVersionInstalled" = "Y"
For Microsoft .NET Framework 4.0:\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2416472\ "ThisVersionInstalled" = "Y"

Note For supported versions of Windows XP Professional x64 Edition, this security update is the same as supported versions of the Windows Server 2003 x64 Edition security update.

Deployment Information

Installing the Update for Microsoft .NET Framework 1.1 Service Pack 1 (KB2416447)

This security update supports the following setup switches.

Switch Description
/help Displays usage dialog box.
Setup Modes
**/q[n b r f]** Sets user interface level
n - no UI
b - basic UI
r - reduced UI
f - full UI (default)
Install Options
/extract [directory] Extract the package to the specified directory.
Restart Options
/norestart Does not restart when installation has completed.
/forcerestart Always restarts the computer after installation.
/promptrestart Prompts the user to restart if necessary.
Logging Options
**/l[i w e a r u c m o p v x + ! *] <LogFile>** Sets logging options
i - status messages
w - non-fatal warnings
e - all error messages
a - start up of actions
r - action-specific records
u - user request
c - initial UI parameters
m - out-of-memory or fatal exit information
o - out-of-disk-space messages
p - terminal properties
v - verbose output
x - extra debugging information
+ - append to existing log file
! - flush each line to the log
* - log all information, except for v and x options
/log <LogFile> Equivalent of /l* <LogFile>

For more information about the installer, visit the MSDN Web site.

For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.

Installing the Update for Microsoft .NET Framework 2.0 Service Pack 2 (KB2418241), Microsoft .NET Framework 3.5 (KB2416468), Microsoft .NET Framework 3.5 Service Pack 1 (KB2416473), and Microsoft .NET Framework 4.0 (KB2416472)

This security update supports the following setup switches.

Switch Description
/help Displays usage dialog box.
Setup Modes
/q Sets user interface level
Install Options
/extract [directory] Extract the package to the specified directory.
Restart Options
/norestart Does not restart when installation has completed.
/forcerestart Always restarts the computer after installation.
/promptrestart Prompts the user to restart if necessary.
Logging Options
**/l[i w e a r u c m o p v x + ! *] <LogFile>** Sets logging options
i - status messages
w - non-fatal warnings
e - all error messages
a - start up of actions
r - action-specific records
u - user request
c - initial UI parameters
m - out-of-memory or fatal exit information
o - out-of-disk-space messages
p - terminal properties
v - verbose output
x - extra debugging information
+ - append to existing log file
! - flush each line to the log
* - log all information, except for v and x options
/log <LogFile> Equivalent of /l* <LogFile>

Note for Microsoft .NET Framework 2.0 Service Pack 2 (KB2418241) When you install this security update, the installer checks whether the product or component being updated has previously been updated by a Microsoft hotfix.

If you have previously installed a hotfix to update one of these files, the installer copies the LDR (or QFE) version of the files to your system. Otherwise, the installer copies the GDR version of the files to your system. For more information about this behavior, see Microsoft Knowledge Base Article 960043.

Removing the Update for Microsoft .NET Framework 1.1 Service Pack 1 (KB2416447)

This security update supports the following setup switches.

Switch Description
/help Displays usage dialog box.
Setup Modes
**/q[n b r f]** Sets user interface level
n - no UI
b - basic UI
r - reduced UI
f - full UI (default)
Install Options
/extract [directory] Extract the package to the specified directory.
Restart Options
/norestart Does not restart when installation has completed.
/forcerestart Always restarts the computer after installation.
/promptrestart Prompts the user to restart if necessary.
Logging Options
**/l[i w e a r u c m o p v x + ! *] <LogFile>** Sets logging options
i - status messages
w - non-fatal warnings
e - all error messages
a - start up of actions
r - action-specific records
u - user request
c - initial UI parameters
m - out-of-memory or fatal exit information
o - out-of-disk-space messages
p - terminal properties
v - verbose output
x - extra debugging information
+ - append to existing log file
! - flush each line to the log
* - log all information, except for v and x options
/log <LogFile> Equivalent of /l* <LogFile>

Removing the Update for Microsoft .NET Framework 2.0 Service Pack 2 (KB2418241), Microsoft .NET Framework 3.5 (KB2416468), Microsoft .NET Framework 3.5 Service Pack 1 (KB2416473), and Microsoft .NET Framework 4.0 (KB2416472)

This security update supports the following setup switches.

Switch Description
/help Displays usage dialog box.
Setup Modes
/q No user interface
Install Options
/extract [directory] Extract the package to the specified directory.
Restart Options
/norestart Does not restart when installation has completed.
/forcerestart Always restarts the computer after installation.
/promptrestart Prompts the user to restart if necessary.
Logging Options
**/l[i w e a r u c m o p v x + ! *] <LogFile>** Sets logging options
i - status messages
w - non-fatal warnings
e - all error messages
a - start up of actions
r - action-specific records
u - user request
c - initial UI parameters
m - out-of-memory or fatal exit information
o - out-of-disk-space messages
p - terminal properties
v - verbose output
x - extra debugging information
+ - append to existing log file
! - flush each line to the log
* - log all information, except for v and x options
/log <LogFile> Equivalent of /l* <LogFile>

Verifying That the Update Has Been Applied

  • Microsoft Baseline Security Analyzer

    To verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the section, Detection and Deployment Tools and Guidance, earlier in this bulletin for more information.

  • File Version Verification

    Because there are several editions of Microsoft Windows, the following steps may be different on your system. If they are, see your product documentation to complete these steps.

    1. Click Start, and then click Search.
    2. In the Search Results pane, click All files and folders under Search Companion.
    3. In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.
    4. In the list of files, right-click a file name from the appropriate file information table, and then click Properties.
      Note Depending on the edition of the operating system, or the programs that are installed on your system, some of the files that are listed in the file information table may not be installed.
    5. On the Version tab, determine the version of the file that is installed on your system by comparing it to the version that is documented in the appropriate file information table.
      Note Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.
  • Registry Key Verification

    You may also be able to verify the files that this security update has installed by reviewing the registry keys listed in the Reference Table in this section.

    These registry keys may not contain a complete list of installed files. Also, these registry keys may not be created correctly when an administrator or an OEM integrates or slipstreams this security update into the Windows installation source files.

Windows Server 2003 (all editions)

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Inclusion in Future Service Packs The update for this issue will be included in a future service pack or update rollup
Deployment
Installing without user intervention For Microsoft .NET Framework 1.1 Service Pack 1 on Windows Server 2003 32-bit systems:\ WindowsServer2003-KB2416451-x86-ENU.exe /quiet
For Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 on Windows Server 2003 32-bit systems:\ NDP20SP2-KB2418241-x86.exe /q
For Microsoft .NET Framework 3.5 on Windows Server 2003 32-bit systems:\ NDP20SP1-KB2416468-x86.exe /q
For Microsoft .NET Framework 3.5 on Windows Server 2003 32-bit systems:\ NDP35-KB2418240-x86.exe /quiet
For Microsoft .NET Framework 3.5 Service Pack 1 on Windows Server 2003 32-bit systems:\ NDP35SP1-KB2416473-x86.exe /q
For Microsoft .NET Framework 4.0 on Windows Server 2003 32-bit systems:\ NDP40-KB2416472-x86.exe /q
For Microsoft .NET Framework 1.1 Service Pack 1 on Windows Server 2003 x64-based systems:\ NDP1.1SP1-KB2416447-x86.exe /qn
For Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 on Windows Server 2003 x64-based systems:\ NDP20SP2-KB2418241-x64.exe /q
For Microsoft .NET Framework 3.5 on Windows Server 2003 x64-based systems:\ NDP20SP1-KB2416468-x64.exe /q
For Microsoft .NET Framework 3.5 on Windows Server 2003 x64-based systems:\ NDP35-KB2418240-x64.exe /quiet
For Microsoft .NET Framework 3.5 Service Pack 1 on Windows Server 2003 x64-based systems:\ NDP35SP1-KB2416473-x64.exe /q
For Microsoft .NET Framework 4.0 on Windows Server 2003 x64-based systems:\ NDP40-KB2416472-x64.exe /q
For Microsoft .NET Framework 1.1 Service Pack 1 on Windows Server 2003 Itanium-based systems:\ NDP1.1SP1-KB2416447-x86.exe /qn
For Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 on Windows Server 2003 Itanium-based systems:\ NDP20SP2-KB2418241-ia64 /q
For Microsoft .NET Framework 3.5 on Itanium-based systems:\ NDP20SP1-KB2416468-ia64 /q
For Microsoft .NET Framework 3.5 on Itanium-based systems:\ NDP35-KB2418240-ia64.exe /quiet
For Microsoft .NET Framework 3.5 Service Pack 1 on Windows Server 2003 Itanium-based systems:\ NDP35SP1-KB2416473-ia64 /q
For Microsoft .NET Framework 4.0 on Windows Server 2003 Itanium-based systems:\ NDP40-KB2416472-ia64 /q
Installing without restarting For Microsoft .NET Framework 1.1 Service Pack 1 on Windows Server 2003 32-bit systems:\ WindowsServer2003-KB2416451-x86-ENU.exe /quiet /norestart
For Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 on Windows Server 2003 32-bit systems:\ NDP20SP2-KB2418241-x86.exe /q /norestart
For Microsoft .NET Framework 3.5 on Windows Server 2003 32-bit systems:\ NDP20SP1-KB2416468-x86.exe /q /norestart
For Microsoft .NET Framework 3.5 on Windows Server 2003 32-bit systems:\ NDP35-KB2418240-x86.exe /quiet /norestart
For Microsoft .NET Framework 3.5 Service Pack 1 on Windows Server 2003 32-bit systems:\ NDP35SP1-KB2416473-x86.exe /quiet /norestart
For Microsoft .NET Framework 4.0 on Windows Server 2003 32-bit systems:\ NDP40-KB2416472-x86.exe /q /norestart
For Microsoft .NET Framework 1.1 Service Pack 1 on Windows Server 2003 x64-based systems:\ NDP1.1SP1-KB2416447-x86.exe /quiet /norestart /er
For Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 on Windows Server 2003 x64-based systems:\ NDP20SP2-KB2418241-x64.exe /q /norestart
For Microsoft .NET Framework 3.5 on Windows Server 2003 x64-based systems:\ NDP20SP1-KB2416468-x64.exe /q /norestart
For Microsoft .NET Framework 3.5 on Windows Server 2003 x64-based systems:\ NDP35-KB2418240-x64.exe /quiet /norestart
For Microsoft .NET Framework 3.5 Service Pack 1 on Windows Server 2003 x64-based systems:\ NDP35SP1-KB2416473-x64.exe /quiet /norestart
For Microsoft .NET Framework 4.0 on Windows Server 2003 x64-based systems:\ NDP40-KB2416472-x64.exe /q /norestart
For Microsoft .NET Framework 1.1 Service Pack 1 on Windows Server 2003 Itanium-based systems:\ NDP1.1SP1-KB2416447-x86.exe /quiet /norestart /er
For Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 on Windows Server 2003 Itanium-based systems:\ NDP20SP2-KB2418241-ia64 /q /norestart
For Microsoft .NET Framework 3.5 on Itanium-based systems:\ NDP20SP1-KB2416468-ia64 /q /norestart
For Microsoft .NET Framework 3.5 on Itanium-based systems:\ NDP35-KB2418240-ia64.exe /quiet /norestart
For Microsoft .NET Framework 3.5 Service Pack 1 on Windows Server 2003 Itanium-based systems:\ NDP35SP1-KB2416473-ia64 /quiet /norestart
For Microsoft .NET Framework 4.0 on Windows Server 2003 Itanium-based systems:\ NDP40-KB2416472-ia64 /q /norestart
Update log file For Microsoft .NET Framework 1.1 Service Pack 1 on Windows Server 2003 32-bit systems:\ KB2416451.log
For Microsoft .NET Framework 1.1 Service Pack 1 on Windows Server 2003 x64 and Itanium-based systems:\ NDP1.1SP1-KB2416447-x86-msi.0.log\ NDP1.1SP1-KB2416447-x86-wrapper.log
For Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1:\ Microsoft .NET Framework 2.0-KB2418241_-msi0.txt\ Microsoft .NET Framework 2.0-KB2418241_.html
For Microsoft .NET Framework 3.5:\ Microsoft .NET Framework 2.0-KB2416468_-msi0.txt\ Microsoft .NET Framework 2.0-KB2416468_.html Microsoft .NET Framework 2.0-KB 2418240 _-msi0.txt\ Microsoft .NET Framework 2.0-KB 2418240 _.html
For Microsoft .NET Framework 3.5 Service Pack 1:\ Microsoft .NET Framework 2.0-KB2416473_-msi0.txt\ Microsoft .NET Framework 2.0-KB2416473_.html
For Microsoft .NET Framework 4.0:\ Microsoft .NET Framework 2.0-KB2416472_-msi0.txt\ Microsoft .NET Framework 2.0-KB2416472_.html
Further information See the subsection, Detection and Deployment Tools and Guidance
Restart Requirement
Restart required? In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.\ \ To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012.
HotPatching This security update does not support HotPatching. For more information about HotPatching, see Microsoft Knowledge Base Article 897341.
Removal Information For Microsoft .NET Framework 1.1 Service Pack 1 on Windows Server 2003 32-bit systems, use the Add or Remove Programs tool in Control Panel or the Spuninst.exe utility located in the %Windir%$NTUninstallKB2416451$\Spuninst folder.
For Microsoft .NET Framework 1.1 Service Pack 1 on Windows Server 2003 x64-based systems and Windows Server 2003 Itanium-based systems, use the Add or Remove Programs tool in Control Panel.
For Microsoft .NET Framework 3.5 and Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1, use the Add or Remove Programs tool in Control Panel.
File Information See Microsoft Knowledge Base Article 2418042
Registry Key Verification For Microsoft .NET Framework 1.1 Service Pack 1 on Windows Server 2003 32-bit systems:\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP3\KB2416451\Filelist
For Microsoft .NET Framework 1.1 Service Pack 1 on Windows Server 2003 x64 and Itanium-based systems:\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates.NETFramework\1.1\M2416447\ "Installed" = dword:1
For Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1:\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 2.0 Service Pack 2\SP2\KB2418241\ "ThisVersionInstalled" = "Y"
For Microsoft .NET Framework 3.5:\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 2.0 Service Pack 1\SP1\KB2416468\ "ThisVersionInstalled" = "Y"\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 3.5\KB2418240\ "ThisVersionInstalled" = "Y"
For Microsoft .NET Framework 3.5 Service Pack 1:\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 3.5 SP1\SP1\KB2416473\ "ThisVersionInstalled" = "Y"
For Microsoft .NET Framework 4.0:\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2416472\ "ThisVersionInstalled" = "Y"

Deployment Information

Installing the Update for Microsoft .NET Framework 1.1 Service Pack 1 (KB2416451)

This security update supports the following setup switches.

Switch Description
/help Displays the command-line options.
Setup Modes
/passive Unattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.
/quiet Quiet mode. This is the same as unattended mode, but no status or error messages are displayed.
Restart Options
/norestart Does not restart when installation has completed.
/forcerestart Restarts the computer after installation and force other applications to close at shutdown without saving open files first.
/warnrestart[:x] Presents a dialog box with a timer warning the user that the computer will restart in x seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.
/promptrestart Displays a dialog box prompting the local user to allow a restart.
Special Options
/overwriteoem Overwrites OEM files without prompting.
/nobackup Does not back up files needed for uninstall.
/forceappsclose Forces other programs to close when the computer shuts down.
/log:path Allows the redirection of installation log files.
/integrate:path Integrates the update into the Windows source files. These files are located at the path that is specified in the switch.
/extract[:path] Extracts files without starting the Setup program.
/ER Enables extended error reporting.
/verbose Enables verbose logging. During installation, creates %Windir%\CabBuild.log. This log details the files that are copied. Using this switch may cause the installation to proceed more slowly.

Note You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841.

Installing the Update for Microsoft .NET Framework 1.1 Service Pack 1 (KB2416447)

This security update supports the following setup switches.

Switch Description
/help Displays usage dialog box.
Setup Modes
**/q[n b r f]** Sets user interface level
n - no UI
b - basic UI
r - reduced UI
f - full UI (default)
Install Options
/extract [directory] Extract the package to the specified directory.
Restart Options
/norestart Does not restart when installation has completed.
/forcerestart Always restarts the computer after installation.
/promptrestart Prompts the user to restart if necessary.
Logging Options
**/l[i w e a r u c m o p v x + ! *] <LogFile>** Sets logging options
i - status messages
w - non-fatal warnings
e - all error messages
a - start up of actions
r - action-specific records
u - user request
c - initial UI parameters
m - out-of-memory or fatal exit information
o - out-of-disk-space messages
p - terminal properties
v - verbose output
x - extra debugging information
+ - append to existing log file
! - flush each line to the log
* - log all information, except for v and x options
/log <LogFile> Equivalent of /l* <LogFile>

For more information about the installer, visit the MSDN Web site.

For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.

Installing the Update for Microsoft .NET Framework 2.0 Service Pack 2 (KB2418241), Microsoft .NET Framework 3.5 (KB2416468), Microsoft .NET Framework 3.5 Service Pack 1 (KB2416473), and Microsoft .NET Framework 4.0 (KB2416472)

This security update supports the following setup switches.

Switch Description
/help Displays usage dialog box.
Setup Modes
/q No user interface
Install Options
/extract [directory] Extract the package to the specified directory.
Restart Options
/norestart Does not restart when installation has completed.
/forcerestart Always restarts the computer after installation.
/promptrestart Prompts the user to restart if necessary.
Logging Options
**/l[i w e a r u c m o p v x + ! *] <LogFile>** Sets logging options
i - status messages
w - non-fatal warnings
e - all error messages
a - start up of actions
r - action-specific records
u - user request
c - initial UI parameters
m - out-of-memory or fatal exit information
o - out-of-disk-space messages
p - terminal properties
v - verbose output
x - extra debugging information
+ - append to existing log file
! - flush each line to the log
* - log all information, except for v and x options
/log <LogFile> Equivalent of /l* <LogFile>

Note for Microsoft .NET Framework 2.0 Service Pack 2 (KB2418241) When you install this security update, the installer checks whether the product or component being updated has previously been updated by a Microsoft hotfix.

If you have previously installed a hotfix to update one of these files, the installer copies the LDR (or QFE) version of the files to your system. Otherwise, the installer copies the GDR version of the files to your system. For more information about this behavior, see Microsoft Knowledge Base Article 960043.

For more information about the installer, visit the MSDN Web site.

For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.

Removing the Update for Microsoft .NET Framework 1.1 Service Pack 1 (KB2416451)

This security update supports the following setup switches.

Switch Description
/help Displays the command-line options.
Setup Modes
/passive Unattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.
/quiet Quiet mode. This is the same as unattended mode, but no status or error messages are displayed.
Restart Options
/norestart Does not restart when installation has completed
/forcerestart Restarts the computer after installation and force other applications to close at shutdown without saving open files first.
/warnrestart[:x] Presents a dialog box with a timer warning the user that the computer will restart in x seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.
/promptrestart Displays a dialog box prompting the local user to allow a restart.
Special Options
/forceappsclose Forces other programs to close when the computer shuts down.
/log:path Allows the redirection of installation log files.

Removing the Update for Microsoft .NET Framework 1.1 Service Pack 1 (KB2416447)

This security update supports the following setup switches.

Switch Description
/help Displays usage dialog box.
Setup Modes
**/q[n b r f]** Sets user interface level
n - no UI
b - basic UI
r - reduced UI
f - full UI (default)
Install Options
/extract [directory] Extract the package to the specified directory.
Restart Options
/norestart Does not restart when installation has completed.
/forcerestart Always restarts the computer after installation.
/promptrestart Prompts the user to restart if necessary.
Logging Options
**/l[i w e a r u c m o p v x + ! *] <LogFile>** Sets logging options
i - status messages
w - non-fatal warnings
e - all error messages
a - start up of actions
r - action-specific records
u - user request
c - initial UI parameters
m - out-of-memory or fatal exit information
o - out-of-disk-space messages
p - terminal properties
v - verbose output
x - extra debugging information
+ - append to existing log file
! - flush each line to the log
* - log all information, except for v and x options
/log <LogFile> Equivalent of /l* <LogFile>

Removing the Update for Microsoft .NET Framework 2.0 Service Pack 2 (KB2418241), Microsoft .NET Framework 3.5 (KB2416468), Microsoft .NET Framework 3.5 Service Pack 1 (KB2416473), and Microsoft .NET Framework 4.0 (KB2416472)

This security update supports the following setup switches.

Switch Description
/help Displays usage dialog box.
Setup Modes
/q No user interface
Install Options
/extract [directory] Extract the package to the specified directory.
Restart Options
/norestart Does not restart when installation has completed.
/forcerestart Always restarts the computer after installation.
/promptrestart Prompts the user to restart if necessary.
Logging Options
**/l[i w e a r u c m o p v x + ! *] <LogFile>** Sets logging options
i - status messages
w - non-fatal warnings
e - all error messages
a - start up of actions
r - action-specific records
u - user request
c - initial UI parameters
m - out-of-memory or fatal exit information
o - out-of-disk-space messages
p - terminal properties
v - verbose output
x - extra debugging information
+ - append to existing log file
! - flush each line to the log
* - log all information, except for v and x options
/log <LogFile> Equivalent of /l* <LogFile>

Verifying that the Update Has Been Applied

  • Microsoft Baseline Security Analyzer

    To verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the section, Detection and Deployment Tools and Guidance, earlier in this bulletin for more information.

  • File Version Verification

    Because there are several editions of Microsoft Windows, the following steps may be different on your system. If they are, see your product documentation to complete these steps.

    1. Click Start, and then click Search.
    2. In the Search Results pane, click All files and folders under Search Companion.
    3. In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.
    4. In the list of files, right-click a file name from the appropriate file information table, and then click Properties.
      Note Depending on the edition of the operating system, or the programs that are installed on your system, some of the files that are listed in the file information table may not be installed.
    5. On the Version tab, determine the version of the file that is installed on your system by comparing it to the version that is documented in the appropriate file information table.
      Note Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.
  • Registry Key Verification

    You may also be able to verify the files that this security update has installed by reviewing the registry keys listed in the Reference Table in this section.

    These registry keys may not contain a complete list of installed files. Also, these registry keys may not be created correctly when an administrator or an OEM integrates or slipstreams this security update into the Windows installation source files.

Windows Vista (all editions)

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Inclusion in Future Service Packs The update for this issue will be included in a future service pack or update rollup
Deployment
Installing without user intervention For Microsoft .NET Framework 1.1 Service Pack 1 on Windows Vista Service Pack 1 and Windows Vista Service Pack 2:\ NDP1.1SP1-KB2416447-x86.exe /qn
For Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5 on Windows Vista Service Pack 1:\ Windows6.0-KB2416469-x86.msu /quiet
For Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 on Windows Vista Service Pack 1:\ Windows6.0-KB2416474-x86.msu /quiet
For Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, and Microsoft .NET Framework 3.5 Service Pack 1 on Windows Vista Service Pack 2:\ Windows6.0-KB2416470-x86.msu /quiet
For Microsoft .NET Framework 3.5 on Windows Vista Service Pack 1 and Windows Vista Service Pack 2:\ NDP35-KB2418240-x86.exe /quiet
For Microsoft .NET Framework 3.5 Service Pack 1 on Windows Vista Service Pack 1 and Windows Vista Service Pack 2:\ NDP35SP1-KB2416473-x86.exe /quiet
For Microsoft .NET Framework 4.0 on Windows Vista Service Pack 1 and Windows Vista Service Pack 2:\ NDP40-KB2416472-x86.exe /quiet
For Microsoft .NET Framework 1.1 Service Pack 1 on Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2:\ NDP1.1SP1-KB2416447-x86.exe /qn
For Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5 on Windows Vista x64 Edition Service Pack 1:\ Windows6.0-KB2416469-x64.msu /quiet
For Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 on Windows Vista x64 Edition Service Pack 1:\ Windows6.0-KB2416474-x64.msu /quiet
For Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, and Microsoft .NET Framework 3.5 Service Pack 1 on Windows Vista x64 Edition Service Pack 2:\ Windows6.0-KB2416470-x64.msu /quiet
For Microsoft .NET Framework 3.5 on Windows Vista Service Pack 1 and Windows Vista x64 Edition Service Pack 2:\ NDP35-KB2418240-x64.exe /quiet
For Microsoft .NET Framework 3.5 Service Pack 1 on Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2:\ NDP35SP1-KB2416473-x64.exe /quiet
For Microsoft .NET Framework 4.0 on Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2:\ NDP40-KB2416472-x64.exe /quiet
Installing without restarting For Microsoft .NET Framework 1.1 Service Pack 1 on Windows Vista Service Pack 1 and Windows Vista Service Pack 2:\ NDP1.1SP1-KB2416447-x86.exe /quiet /norestart /er
For Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5 on Windows Vista Service Pack 1:\ Windows6.0-KB2416469-x86.msu /quiet /norestart
For Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 on Windows Vista Service Pack 1:\ Windows6.0-KB2416474-x86.msu /quiet /norestart
For Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, and Microsoft .NET Framework 3.5 Service Pack 1 on Windows Vista Service Pack 2:\ Windows6.0-KB2416470-x86.msu /quiet /norestart
For Microsoft .NET Framework 3.5 on Windows Vista Service Pack 1 and Windows Vista Service Pack 2:\ NDP35-KB2418240-x86.exe /quiet /norestart
For Microsoft .NET Framework 3.5 Service Pack 1 on Windows Vista Service Pack 1 and Windows Vista Service Pack 2:\ NDP35SP1-KB2416473-x86.exe /quiet /norestart
For Microsoft .NET Framework 4.0 on Windows Vista Service Pack 1 and Windows Vista Service Pack 2:\ NDP40-KB2416472-x86.exe /q /norestart
For Microsoft .NET Framework 1.1 Service Pack 1 on Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2:\ NDP1.1SP1-KB2416447-x86.exe /quiet /norestart
For Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5 on Windows Vista x64 Edition Service Pack 1:\ Windows6.0-KB2416469-x64.msu /quiet /norestart
For Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 on Windows Vista x64 Edition Service Pack 1:\ Windows6.0-KB2416474-x64.msu /quiet /norestart
For Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, and Microsoft .NET Framework 3.5 Service Pack 1 on Windows Vista x64 Edition Service Pack 2:\ Windows6.0-KB2416470-x64.msu /quiet /norestart
For Microsoft .NET Framework 3.5 on Windows Vista Service Pack 1 and Windows Vista x64 Edition Service Pack 2:\ NDP35-KB2418240-x64.exe /quiet /norestart
For Microsoft .NET Framework 3.5 Service Pack 1 on Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2:\ NDP35SP1-KB2416473-x64.exe /quiet /norestart
For Microsoft .NET Framework 4.0 on Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2:\ NDP40-KB2416472-x64.exe /q /norestart
Further information See the subsection, Detection and Deployment Tools and Guidance
Restart Requirement
Restart required? In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.
HotPatching Not applicable
Removal Information For Microsoft .NET Framework 1.1 Service Pack 1 on Windows Vista (KB2416447), use the Add or Remove Programs tool in Control Panel.
For all other supported versions of Microsoft .NET Framework on Windows Vista, WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click Control Panel, and then click Security. Under Windows Update, click View installed updates and select from the list of updates.
File Information See Microsoft Knowledge Base Article 2418042
Registry Key Verification Note Registry keys do not exist to validate the presence of these updates.

Deployment Information

Installing the Update for Microsoft .NET Framework 1.1 Service Pack 1 (KB2416447)

This security update supports the following setup switches.

Switch Description
/help Displays usage dialog box.
Setup Modes
**/q[n b r f]** Sets user interface level
n - no UI
b - basic UI
r - reduced UI
f - full UI (default)
Install Options
/extract [directory] Extract the package to the specified directory.
Restart Options
/norestart Does not restart when installation has completed.
/forcerestart Always restarts the computer after installation.
/promptrestart Prompts the user to restart if necessary.
Logging Options
**/l[i w e a r u c m o p v x + ! *] <LogFile>** Sets logging options
i - status messages
w - non-fatal warnings
e - all error messages
a - start up of actions
r - action-specific records
u - user request
c - initial UI parameters
m - out-of-memory or fatal exit information
o - out-of-disk-space messages
p - terminal properties
v - verbose output
x - extra debugging information
+ - append to existing log file
! - flush each line to the log
* - log all information, except for v and x options
/log <LogFile> Equivalent of /l* <LogFile>

Installing the Update for Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5 (KB2416469), Microsoft .NET Framework 2.0 Service Pack 2 (KB2416474), Microsoft .NET Framework 3.5 (KB2418240), Microsoft .NET Framework 3.5 Service Pack 1 (KB2416473), and Microsoft .NET Framework 4.0 (KB2416472)

When you install this security update, the installer checks whether one or more of the files that are being updated on your system have previously been updated by a Microsoft hotfix.

For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.

This security update supports the following setup switches.

Switch Description
/?, /h, /help Displays help on supported switches.
/quiet Suppresses the display of status or error messages.
/norestart When combined with /quiet, the system will not be restarted after installation even if a restart is required to complete installation.

Note For more information about the wusa.exe installer, see Microsoft Knowledge Base Article 934307.

Verifying That the Update Has Been Applied

  • Microsoft Baseline Security Analyzer

    To verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the section, Detection and Deployment Tools and Guidance, earlier in this bulletin for more information.

  • File Version Verification

    Because there are several editions of Microsoft Windows, the following steps may be different on your system. If they are, see your product documentation to complete these steps.

    1. Click Start and then enter an update file name in Start Search.
    2. When the file appears under Programs, right-click on the file name and click Properties.
    3. Under the General tab, compare the file size with the file information tables provided in the bulletin KB article.
    4. You may also click on the Details tab and compare information, such as file version and date modified, with the file information tables provided in the bulletin KB article.
    5. Finally, you may also click on the Previous Versions tab and compare file information for the previous version of the file with the file information for the new, or updated, version of the file.

Windows Server 2008 (all editions)

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Inclusion in Future Service Packs The update for this issue will be included in a future service pack or update rollup
Deployment
Installing without user intervention For Microsoft .NET Framework 1.1 Service Pack 1 on Windows Server 2008 and Windows Server 2008 Service Pack 2:\ NDP1.1SP1-KB2416447-x86.exe /qn
For Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5 on Windows Server 2008:\ Windows6.0-KB2416469-x86.msu /quiet
For Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 on Windows Server 2008:\ Windows6.0-KB2416474-x86.msu /quiet
For Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, and Microsoft .NET Framework 3.5 Service Pack 1 on Windows Server 2008 Service Pack 2:\ Windows6.0-KB2416470-x86.msu /quiet
For Microsoft .NET Framework 3.5 on Windows Server 2008 and Windows Server 2008 Service Pack 2:\ NDP35-KB2418240-x86.exe /quiet
For Microsoft .NET Framework 3.5 Service Pack 1 on Windows Server 2008 and Windows Server 2008 Service Pack 2:\ NDP35SP1-KB2416473-x86.exe /quiet
For Microsoft .NET Framework 4.0 on Windows Server 2008 and Windows Server 2008 Service Pack 2:\ NDP40-KB2416472-x86.exe /quiet
For Microsoft .NET Framework 1.1 Service Pack 1 on Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2:\ NDP1.1SP1-KB2416447-x86.exe /qn
For Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5 on Windows Server 2008 for x64-based Systems:\ Windows6.0-KB2416469-x64.msu /quiet
For Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 on Windows Server 2008 for x64-based Systems:\ Windows6.0-KB2416474-x64.msu /quiet
For Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, and Microsoft .NET Framework 3.5 Service Pack 1 on Windows Server 2008 for x64-based Systems Service Pack 2:\ Windows6.0-KB2416470-x64.msu /quiet
For Microsoft .NET Framework 3.5 on Windows Server 2008 and Windows Server 2008 for x64-based Systems Service Pack 2:\ NDP35-KB2418240-x64.exe /quiet
For Microsoft .NET Framework 3.5 Service Pack 1 on Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2:\ NDP35SP1-KB2416473-x64.exe /quiet
For Microsoft .NET Framework 4.0 on Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2:\ NDP40-KB2416472-x64.exe /quiet
For Microsoft .NET Framework 1.1 Service Pack 1 on Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2:\ NDP1.1SP1-KB2416447-x86.exe /qn
For Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5 on Windows Server 2008 for Itanium-based Systems:\ Windows6.0-KB2416469-ia64.msu /quiet
For Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 on Windows Server 2008 for Itanium-based Systems:\ Windows6.0-KB2416474-ia64.msu /quiet
For Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, and Microsoft .NET Framework 3.5 Service Pack 1 on Windows Server 2008 for Itanium-based Systems Service Pack 2:\ Windows6.0-KB2416470-ia64.msu /quiet
For Microsoft .NET Framework 3.5 on Windows Server 2008 and Windows Server 2008 for Itanium-based Systems Service Pack 2:\ NDP35-KB2418240-ia64.exe /quiet
For Microsoft .NET Framework 3.5 Service Pack 1 on Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2:\ NDP35SP1-KB2416473-ia64.exe /quiet
For Microsoft .NET Framework 4.0 on Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2:\ NDP40-KB2416472-ia64.exe /quiet
Installing without restarting For Microsoft .NET Framework 1.1 Service Pack 1 on Windows Server 2008 and Windows Server 2008 Service Pack 2:\ NDP1.1SP1-KB2416447-x86.exe /quiet /norestart /er
For Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5 on Windows Server 2008:\ Windows6.0-KB2416469-x86.msu /quiet /norestart
For Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 on Windows Server 2008:\ Windows6.0-KB2416474-x86.msu /quiet /norestart
For Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, and Microsoft .NET Framework 3.5 Service Pack 1 on Windows Server 2008 Service Pack 2:\ Windows6.0-KB2416470-x86.msu /quiet /norestart
For Microsoft .NET Framework 3.5 on Windows Server 2008 and Windows Server 2008 Service Pack 2:\ NDP35-KB2418240-x86.exe /quiet /norestart
For Microsoft .NET Framework 3.5 Service Pack 1 on Windows Server 2008 and Windows Server 2008 Service Pack 2:\ NDP35SP1-KB2416473-x86.exe /quiet /norestart
For Microsoft .NET Framework 4.0 on Windows Server 2008 and Windows Server 2008 Service Pack 2:\ NDP40-KB2416472-x86.exe /q /norestart
For Microsoft .NET Framework 1.1 Service Pack 1 on Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2:\ NDP1.1SP1-KB2416447-x86.exe /quiet /norestart /er
For Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5 on Windows Server 2008 for x64-based Systems:\ Windows6.0-KB2416469-x64.msu /quiet /norestart
For Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 on Windows Server 2008 for x64-based Systems:\ Windows6.0-KB2416474-x64.msu /quiet /norestart
For Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, and Microsoft .NET Framework 3.5 Service Pack 1 on Windows Server 2008 for x64-based Systems Service Pack 2:\ Windows6.0-KB2416470-x64.msu /quiet /norestart
For Microsoft .NET Framework 3.5 on Windows Server 2008 and Windows Server 2008 for x64-based Systems Service Pack 2:\ NDP35-KB2418240-x64.exe /quiet /norestart
For Microsoft .NET Framework 3.5 Service Pack 1 on Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2:\ NDP35SP1-KB2416473-x64.exe /quiet /norestart
For Microsoft .NET Framework 4.0 on Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2:\ NDP40-KB2416472-x64.exe /q /norestart
For Microsoft .NET Framework 1.1 Service Pack 1 on Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2:\ NDP1.1SP1-KB2416447-x86.exe /quiet /norestart /er
For Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5 on Windows Server 2008 for Itanium-based Systems:\ Windows6.0-KB2416469-ia64.msu /quiet /norestart
For Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 on Windows Server 2008 for Itanium-based Systems:\ Windows6.0-KB2416474-ia64.msu /quiet /norestart
For Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, and Microsoft .NET Framework 3.5 Service Pack 1 on Windows Server 2008 for Itanium-based Systems Service Pack 2:\ Windows6.0-KB2416470-ia64.msu /quiet /norestart
For Microsoft .NET Framework 3.5 on Windows Server 2008 and Windows Server 2008 for Itanium-based Systems Service Pack 2:\ NDP35-KB2418240-ia64.exe /quiet /norestart
For Microsoft .NET Framework 3.5 Service Pack 1 on Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2:\ NDP35SP1-KB2416473-ia64.exe /quiet /norestart
For Microsoft .NET Framework 4.0 on Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2:\ NDP40-KB2416472-ia64.exe /q /norestart
Further information See the subsection, Detection and Deployment Tools and Guidance
Restart Requirement
Restart required? This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.
HotPatching Not applicable.
Removal Information WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click Control Panel, and then click Security. Under Windows Update, click View installed updates and select from the list of updates.
File Information See Microsoft Knowledge Base Article 2418042
Registry Key Verification Note A registry key does not exist to validate the presence of this update.

Deployment Information

Installing the Update for Microsoft .NET Framework 1.1 Service Pack 1 (KB2416447)

This security update supports the following setup switches.

Switch Description
/help Displays usage dialog box.
Setup Modes
**/q[n b r f]** Sets user interface level
n - no UI
b - basic UI
r - reduced UI
f - full UI (default)
Install Options
/extract [directory] Extract the package to the specified directory.
Restart Options
/norestart Does not restart when installation has completed.
/forcerestart Always restarts the computer after installation.
/promptrestart Prompts the user to restart if necessary.
Logging Options
**/l[i w e a r u c m o p v x + ! *] <LogFile>** Sets logging options
i - status messages
w - non-fatal warnings
e - all error messages
a - start up of actions
r - action-specific records
u - user request
c - initial UI parameters
m - out-of-memory or fatal exit information
o - out-of-disk-space messages
p - terminal properties
v - verbose output
x - extra debugging information
+ - append to existing log file
! - flush each line to the log
* - log all information, except for v and x options
/log <LogFile> Equivalent of /l* <LogFile>

Installing the Update for Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5 (KB2416469), Microsoft .NET Framework 2.0 Service Pack 2 (KB2416474), Microsoft .NET Framework 3.5 (KB2418240), Microsoft .NET Framework 3.5 Service Pack 1 (KB2416473), and Microsoft .NET Framework 4.0 (KB2416472)

When you install this security update, the installer checks whether one or more of the files that are being updated on your system have previously been updated by a Microsoft hotfix.

For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.

This security update supports the following setup switches.

Switch Description
/?, /h, /help Displays help on supported switches.
/quiet Suppresses the display of status or error messages.
/norestart When combined with /quiet, the system will not be restarted after installation even if a restart is required to complete installation.

Note For more information about the wusa.exe installer, see Microsoft Knowledge Base Article 934307.

Verifying That the Update Has Been Applied

  • Microsoft Baseline Security Analyzer

    To verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the section, Detection and Deployment Tools and Guidance, earlier in this bulletin for more information.

  • File Version Verification

    Because there are several editions of Microsoft Windows, the following steps may be different on your system. If they are, see your product documentation to complete these steps.

    1. Click Start and then enter an update file name in Start Search.
    2. When the file appears under Programs, right-click on the file name and click Properties.
    3. Under the General tab, compare the file size with the file information tables provided in the bulletin KB article.
    4. You may also click on the Details tab and compare information, such as file version and date modified, with the file information tables provided in the bulletin KB article.
    5. Finally, you may also click on the Previous Versions tab and compare file information for the previous version of the file with the file information for the new, or updated, version of the file.

Windows 7 (all editions)

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Inclusion in Future Service Packs The update for this issue will be included in a future service pack or update rollup
Deployment
Installing without user intervention For Microsoft .NET Framework 3.5.1 on all supported 32-bit editions of Windows 7:\ Windows6.1-KB2416471-x86.msu /quiet
For Microsoft .NET Framework 4.0 on all supported 32-bit editions of Windows 7:\ NDP40-KB2416472-x86.exe /quiet
For Microsoft .NET Framework 3.5.1 on all supported x64-based editions of Windows 7:\ Windows6.1-KB2416471-x64.msu /quiet
For Microsoft .NET Framework 4.0 on all supported x64-based editions of Windows 7:\ NDP40-KB2416472-x64.exe /quiet
Installing without restarting For Microsoft .NET Framework 3.5.1 on all supported 32-bit editions of Windows 7:\ Windows6.1-KB2416471-x86.msu /q /norestart
For Microsoft .NET Framework 4.0 on all supported 32-bit editions of Windows 7:\ NDP40-KB2416472-x86.exe /q /norestart
For Microsoft .NET Framework 3.5.1 on all supported x64-based editions of Windows 7:\ Windows6.1-KB2416471-x64.msu /q /norestart
For Microsoft .NET Framework 4.0 on all supported x64-based editions of Windows 7:\ NDP40-KB2416472-x64.exe /q /norestart
Further information See the subsection, Detection and Deployment Tools and Guidance
Restart Requirement
Restart required? This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.
HotPatching Not applicable.
Removal Information To uninstall an update installed by WUSA, use the /Uninstall setup switch or click Control Panel, click System and Security, and then under Windows Update, click View installed updates and select from the list of updates.
File Information See Microsoft Knowledge Base Article 2418042
Registry Key Verification Note A registry key does not exist to validate the presence of this update.

Deployment Information

Installing the Update

When you install this security update, the installer checks whether one or more of the files that are being updated on your system have previously been updated by a Microsoft hotfix.

For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.

This security update supports the following setup switches.

Switch Description
/?, /h, /help Displays help on supported switches.
/quiet Suppresses the display of status or error messages.
/norestart When combined with /quiet, the system will not be restarted after installation even if a restart is required to complete installation.

Note For more information about the wusa.exe installer, see Microsoft Knowledge Base Article 934307.

Verifying That the Update Has Been Applied

  • Microsoft Baseline Security Analyzer

    To verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the section, Detection and Deployment Tools and Guidance, earlier in this bulletin for more information.

  • File Version Verification

    Because there are several editions of Microsoft Windows, the following steps may be different on your system. If they are, see your product documentation to complete these steps.

    1. Click Start and then enter an update file name in Start Search.
    2. When the file appears under Programs, right-click on the file name and click Properties.
    3. Under the General tab, compare the file size with the file information tables provided in the bulletin KB article.
    4. You may also click on the Details tab and compare information, such as file version and date modified, with the file information tables provided in the bulletin KB article.
    5. Finally, you may also click on the Previous Versions tab and compare file information for the previous version of the file with the file information for the new, or updated, version of the file.

Windows Server 2008 R2 (all editions)

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Inclusion in Future Service Packs The update for this issue will be included in a future service pack or update rollup
Deployment
Installing without user intervention For Microsoft .NET Framework 3.5.1 on all supported x64-based editions of Windows Server 2008 R2:\ Windows6.1-KB2416471-x64.msu /quiet
For Microsoft .NET Framework 4.0 on all supported x64-based editions of Windows Server 2008 R2:\ NDP40-KB2416472-x64.exe /quiet
For Microsoft .NET Framework 3.5.1 on all supported Itanium-based editions of Windows Server 2008 R2:\ Windows6.1-KB2416471-ia64.msu /quiet
For Microsoft .NET Framework 4.0 on all supported Itanium-based editions of Windows Server 2008 R2:\ NDP40-KB2416472-ia64.exe /quiet
Installing without restarting For Microsoft .NET Framework 3.5.1 on all supported x64-based editions of Windows Server 2008 R2:\ Windows6.1-KB2416471-x64.msu /q /norestart
For Microsoft .NET Framework 4.0 on all supported x64-based editions of Windows Server 2008 R2:\ NDP40-KB2416472-x64.exe /q /norestart
For Microsoft .NET Framework 3.5.1 on all supported Itanium-based editions of Windows Server 2008 R2:\ Windows6.1-KB2416471-ia64.msu /q /norestart
For Microsoft .NET Framework 4.0 on all supported Itanium-based editions of Windows Server 2008 R2:\ NDP40-KB2416472-ia64.exe /q /norestart
Further information See the subsection, Detection and Deployment Tools and Guidance
Restart Requirement
Restart required? This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.
HotPatching Not applicable.
Removal Information To uninstall an update installed by WUSA, use the /Uninstall setup switch or click Control Panel, click System and Security, and then under Windows Update, click View installed updates and select from the list of updates.
File Information See Microsoft Knowledge Base Article 2418042
Registry Key Verification Note A registry key does not exist to validate the presence of this update.

Deployment Information

Installing the Update

When you install this security update, the installer checks whether one or more of the files that are being updated on your system have previously been updated by a Microsoft hotfix.

For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.

This security update supports the following setup switches.

Switch Description
/?, /h, /help Displays help on supported switches.
/quiet Suppresses the display of status or error messages.
/norestart When combined with /quiet, the system will not be restarted after installation even if a restart is required to complete installation.

Note For more information about the wusa.exe installer, see Microsoft Knowledge Base Article 934307.

Verifying That the Update Has Been Applied

  • Microsoft Baseline Security Analyzer

    To verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the section, Detection and Deployment Tools and Guidance, earlier in this bulletin for more information.

  • File Version Verification

    Because there are several editions of Microsoft Windows, the following steps may be different on your system. If they are, see your product documentation to complete these steps.

    1. Click Start and then enter an update file name in Start Search.
    2. When the file appears under Programs, right-click on the file name and click Properties.
    3. Under the General tab, compare the file size with the file information tables provided in the bulletin KB article.
    4. You may also click on the Details tab and compare information, such as file version and date modified, with the file information tables provided in the bulletin KB article.
    5. Finally, you may also click on the Previous Versions tab and compare file information for the previous version of the file with the file information for the new, or updated, version of the file.

Other Information

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.

Support

  • Customers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.
  • International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (September 28, 2010): Bulletin published.
  • V2.0 (September 30, 2010): Revised this bulletin to announce that the updates are now available through all distribution channels, including Windows Update and Microsoft Update. Also added an update FAQ to describe additional clarifications and corrections to the bulletin.
  • V2.1 (October 13, 2010): Added three update FAQs to clarify affected software.
  • V2.2 (November 3, 2010): Added a note to the Affected Software table to clarify that the .NET Framework 4.0 Client Profile is not affected.
  • V3.0 (December 14, 2010): Added an update FAQ to announce that new update packages are available for .NET Framework 4.0 (KB2416472) to correct an issue in the setup that could interfere with the successful installation of other updates and/or products. Customers who have already successfully updated their systems do not need to take any action.
  • V4.0 (February 22, 2011): Announced a detection change to offer the Microsoft .NET Framework 4.0 (KB2416472) update packages to customers who install Microsoft .NET Framework 4.0 after installing Windows 7 for 32-bit Systems Service Pack 1, Windows 7 for x64-based Systems Service Pack 1, Windows Server 2008 R2 for x64-based Systems Service Pack 1, or Windows Server 2008 R2 for Itanium-based Systems Service Pack 1. Customers who have already successfully updated their systems do not need to take any action.
  • V4.1 (April 20, 2011): Corrected registry key verification for Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows XP and Windows Server 2003.
  • V4.2 (October 26, 2011): Corrected Server Core installation applicability for .NET Framework 4 on Windows Server 2008 R2 for x64-based Systems.

Built at 2014-04-18T13:49:36Z-07:00