Export (0) Print
Expand All

Microsoft Security Advisory 2905247

Insecure ASP.NET Site Configuration Could Allow Elevation of Privilege

Published: December 10, 2013 | Updated: September 9, 2014

Version: 2.0

General Information

Executive Summary

Microsoft is announcing the availability of an update for Microsoft ASP.NET to address a vulnerability in ASP.NET view state that exists when Machine Authentication Code (MAC) validation is disabled through configuration settings. The vulnerability could allow elevation of privilege and affects Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4, and Microsoft .NET Framework 4.5/4.5.1.

Any ASP.NET site for which view state MAC has become disabled through configuration settings is vulnerable to attack. An attacker who successfully exploited the vulnerability could use specially crafted HTTP content to inject code to be run in the context of the service account on the ASP.NET server. Microsoft is aware of general information available publicly that could be used to exploit this vulnerability, but is not aware of any active attacks.

Mitigating Factors:

  • View state MAC is enabled by default for ASP.NET sites.

Recommendation. Microsoft recommends that customers apply the suggested action to ensure that ASP.NET view state MAC remains enabled on ASP.NET sites. Please see the Suggested Actions section of this advisory for more information.

Vulnerability References

For more information about this issue, see the following references:

References

Identification

Microsoft Knowledge Base Article

2905247 

File information

Yes

SHA1/SHA2 hashes

Yes

Known issues

None

This advisory discusses the following software.

Affected Software

Operating System

Component

Bulletins Replaced

Windows Server 2003

Windows Server 2003 Service Pack 2

Microsoft .NET Framework 1.1 Service Pack 1
(2894845)

None

Windows Server 2003 Service Pack 2

Microsoft .NET Framework 2.0 Service Pack 2
(2894843)

2656352 in MS11-100 and 2418241 in MS10-070

Windows Server 2003 Service Pack 2

Microsoft .NET Framework 4 [1]
(2894842)

2901110 in MS14-009 and 2656351 in MS11-100

Windows Server 2003 x64 Edition Service Pack 2

Microsoft .NET Framework 2.0 Service Pack 2
(2894843)

2656352 in MS11-100 and 2418241 in MS10-070

Windows Server 2003 x64 Edition Service Pack 2

Microsoft .NET Framework 4 [1]
(2894842)

2901110 in MS14-009 and 2656351 in MS11-100

Windows Server 2003 with SP2 for Itanium-based Systems

Microsoft .NET Framework 2.0 Service Pack 2
(2894843)

2656352 in MS11-100 and 2418241 in MS10-070

Windows Server 2003 with SP2 for Itanium-based Systems

Microsoft .NET Framework 4 [1]
(2894842)

2901110 in MS14-009 and 2656351 in MS11-100

Windows Vista

Windows Vista Service Pack 2

Microsoft .NET Framework 2.0 Service Pack 2
(2894847)

2656362 in MS11-100 and 2416470 in MS10-070

Windows Vista Service Pack 2

Microsoft .NET Framework 4 [1]
(2894842)

2901110 in MS14-009 and 2656351 in MS11-100

Windows Vista Service Pack 2

Microsoft .NET Framework 4.5/4.5.1
(2894854)

2901126 in MS14-009

Windows Vista x64 Edition Service Pack 2

Microsoft .NET Framework 2.0 Service Pack 2
(2894847)

2656362 in MS11-100 and 2416470 in MS10-070

Windows Vista x64 Edition Service Pack 2

Microsoft .NET Framework 4 [1]
(2894842)

2901110 in MS14-009 and 2656351 in MS11-100

Windows Vista x64 Edition Service Pack 2

Microsoft .NET Framework 4.5/4.5.1
(2894854)

2901126 in MS14-009

Windows Server 2008

Windows Server 2008 for 32-bit Systems Service Pack 2

Microsoft .NET Framework 2.0 Service Pack 2
(2894847)

2656362 in MS11-100 and 2416470 in MS10-070

Windows Server 2008 for 32-bit Systems Service Pack 2

Microsoft .NET Framework 4 [1]
(2894842)

2901110 in MS14-009 and 2656351 in MS11-100

Windows Server 2008 for 32-bit Systems Service Pack 2

Microsoft .NET Framework 4.5/4.5.1
(2894854)

2901126 in MS14-009

Windows Server 2008 for x64-based Systems Service Pack 2

Microsoft .NET Framework 2.0 Service Pack 2
(2894847)

2656362 in MS11-100 and 2416470 in MS10-070

Windows Server 2008 for x64-based Systems Service Pack 2

Microsoft .NET Framework 4 [1]
(2894842)

2901110 in MS14-009 and 2656351 in MS11-100

Windows Server 2008 for x64-based Systems Service Pack 2

Microsoft .NET Framework 4.5/4.5.1
(2894854)

2901126 in MS14-009

Windows Server 2008 for Itanium-based Systems Service Pack 2

Microsoft .NET Framework 2.0 Service Pack 2
(2894847)

2656362 in MS11-100 and 2416470 in MS10-070

Windows Server 2008 for Itanium-based Systems Service Pack 2

Microsoft .NET Framework 4 [1]
(2894842)

2901110 in MS14-009 and 2656351 in MS11-100

Windows 7

Windows 7 for 32-bit Systems Service Pack 1

Microsoft .NET Framework 3.5.1
(2894844)

None

Windows 7 for 32-bit Systems Service Pack 1

Microsoft .NET Framework 4 [1]
(2894842)

2901110 in MS14-009 and 2656351 in MS11-100

Windows 7 for 32-bit Systems Service Pack 1

Microsoft .NET Framework 4.5/4.5.1
(2894854)

2901126 in MS14-009

Windows 7 for x64-based Systems Service Pack 1

Microsoft .NET Framework 3.5.1
(2894844)

None

Windows 7 for x64-based Systems Service Pack 1

Microsoft .NET Framework 4 [1]
(2894842)

2901110 in MS14-009 and 2656351 in MS11-100

Windows 7 for x64-based Systems Service Pack 1

Microsoft .NET Framework 4.5/4.5.1
(2894854)

2901126 in MS14-009

Windows Server 2008 R2

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Microsoft .NET Framework 3.5.1
(2894844)

None

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Microsoft .NET Framework 4 [1]
(2894842)

2901110 in MS14-009 and 2656351 in MS11-100

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Microsoft .NET Framework 4.5/4.5.1
(2894854)

2901126 in MS14-009

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Microsoft .NET Framework 3.5.1
(2894844)

None

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Microsoft .NET Framework 4 [1]
(2894842)

2901110 in MS14-009 and 2656351 in MS11-100

Windows 8 and Windows 8.1

Windows 8 for 32-bit Systems

Microsoft .NET Framework 3.5
(2894851)

None

Windows 8 for 32-bit Systems

Microsoft .NET Framework 4.5/4.5.1
(2894855)

2901127 in MS14-009

Windows 8 for 64-bit Systems

Microsoft .NET Framework 3.5
(2894851)

None

Windows 8 for 64-bit Systems

Microsoft .NET Framework 4.5/4.5.1
(2894855)

2901127 in MS14-009

Windows 8.1 for 32-bit Systems

Microsoft .NET Framework 3.5
(2894852)

2901125 in MS14-009

Windows 8.1 for 32-bit Systems

Microsoft .NET Framework 4.5.1
(2894856)

2901128 in MS14-009

Windows 8.1 for 64-bit Systems

Microsoft .NET Framework 3.5
(2894852)

2901125 in MS14-009

Windows 8.1 for 64-bit Systems

Microsoft .NET Framework 4.5.1
(2894856)

2901128 in MS14-009

Windows Server 2012 and Windows Server 2012 R2

Windows Server 2012

Microsoft .NET Framework 3.5
(2894851)

None

Windows Server 2012

Microsoft .NET Framework 4.5/4.5.1
(2894855)

2901127 in MS14-009

Windows Server 2012 R2

Microsoft .NET Framework 3.5
(2894852)

2901125 in MS14-009

Windows Server 2012 R2

Microsoft .NET Framework 4.5.1
(2894856)

2901128 in MS14-009

Windows RT and Windows RT 8.1

Windows RT

Microsoft .NET Framework 4.5/4.5.1
(2894855)

2901127 in MS14-009

Windows RT 8.1

Microsoft .NET Framework 4.5.1
(2894856)

2901128 in MS14-009

Server Core installation option

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Microsoft .NET Framework 3.5.1
(2894844)

None

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Microsoft .NET Framework 4 [1]
(2894842)

2901110 in MS14-009 and 2656351 in MS11-100

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Microsoft .NET Framework 4.5/4.5.1
(2894854)

2901126 in MS14-009

Windows Server 2012 (Server Core installation)

Microsoft .NET Framework 3.5
(2894851)

None

Windows Server 2012 (Server Core installation)

Microsoft .NET Framework 4.5/4.5.1
(2894855)

2901127 in MS14-009

Windows Server 2012 R2 (Server Core installation)

Microsoft .NET Framework 3.5
(2894852)

2901125 in MS14-009

Windows Server 2012 R2 (Server Core installation)

Microsoft .NET Framework 4.5.1
(2894856)

2901128 in MS14-009

 

Non-Affected Software

Microsoft .NET Framework 1.0 Service Pack 3

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 Service Pack 1

Microsoft .NET Framework 4.5.2

 

Non-Applicable Software

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Why was this advisory rereleased on September 9, 2014? 
This advisory was rereleased to offer the security update via Microsoft Update, in addition to the Download-Center-only option that was provided when this advisory was originally released.

Furthermore, the updates for the following affected software were rereleased to address an issue that occasionally caused Page.IsPostBack to return an incorrect value:

.NET Framework Version

Operating Systems

Update Number

Microsoft .NET Framework 3.5

Windows 8.1 and Windows Server 2012 only

2894852

Microsoft .NET Framework 4

Windows Server 2003 Service Pack 2, Windows Vista Service Pack 2, Windows 2008 Service pack 2, Windows 7 Service Pack 1, and Windows Server 2008 R2 Service Pack 1

2894842

Microsoft .NET Framework 4.5

Windows Vista, Windows Server 2008 Service Pack 2, Windows 7, and Windows Server 2008 R2 Service Pack 1

2894854

Microsoft .NET Framework 4.5.1

Windows Vista, Windows Server 2008 Service Pack 2, Windows 7, and Windows Server 2008 R2 Service Pack 1

2894854

Microsoft .NET Framework 4.5.1

Windows 8, Windows Server 2012, and Windows RT

2894855

Microsoft .NET Framework 4.5.1

Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1

2894856

Customers who have already installed any of the above updates should reapply the updates to be protected from the vulnerability addressed in this advisory. For the remainder of the affected software not included in this list, customers who have already successfully updated their systems do not need to take any action.

What is the scope of the advisory? 
The purpose of this advisory is to notify customers that Microsoft is publishing an update to enable administrators to configure their ASP.NET servers to ensure that view state MAC remains enabled at all times, as well as to provide general guidance on how to enable view state MAC on IIS servers.

What is view state? 
View state is an ASP.NET feature that enables web developers to maintain page state and persist data in a web form across POST requests, or page updates and changes. View state is used prevalently by ASP.NET developers and, as such, is ubiquitous throughout ASP.NET sites. View state is always parsed, even if the EnableViewState property is set to False. For more information, see Understanding ASP.NET View State.

Will disabling view state mitigate the vulnerability? 
No. View state is always parsed by the ASP.NET server, even when EnableViewState is set to False, regardless of whether or not the property is set in web.config, the @Page directive, or an ASP.NET tag. It is possible for an attacker to inject a view state property into a client post, bypassing the EnableViewState setting.

What is view state MAC Validation? 
View state MAC (Machine Authentication Code) validation is a feature that causes ASP.NET to generate a hash of the view state data at page generation time. The hash is later used for comparison to the view state on a later postback, allowing the server to verify whether or not view state has been tampered with. This technology ensures that postback data has not been modified improperly and mitigates the vulnerability described in this advisory.

What might an attacker use the vulnerability to do? 
In most scenarios, an attacker who successfully exploited this vulnerability could elevate privileges to the level of the service account running on the vulnerable ASP.NET site (one with an improperly configured view state MAC).

How could an attacker exploit the vulnerability? 
An unauthenticated attacker could send specially crafted HTTP content to the targeted server, potentially allowing the attacker to run code on the server in the context of the service account running on the ASP.NET site.

What does the update do? 
The update addresses the vulnerability by causing view state MAC to be enabled at all times, removing the ability to disable it on the server.

What additional actions must customers take following the installation of the update? 
The nature of the fix requires that some customers, particularly those using ASP.NET in a web farm, take additional actions to ensure consistent availability of their ASP.NET sites. See the Suggested Actions section below for additional configuration steps.

How do I determine which version of the Microsoft .NET Framework is installed?
You can install and run multiple versions of the .NET Framework on a system, and you can install the versions in any order. There are several ways to determine which versions of the .NET Framework are currently installed. For more information, see Microsoft Knowledge Base Article 318785.

What is the difference between .NET Framework 4 and .NET Framework 4 Client Profile?
The .NET Framework version 4 redistributable packages are available in two profiles: .NET Framework 4 and .NET Framework 4 Client Profile. The .NET Framework 4 Client Profile is a subset of the .NET Framework 4 profile that is optimized for client applications. It provides functionality for most client applications, including Windows Presentation Foundation (WPF), Windows Forms, Windows Communication Foundation (WCF), and ClickOnce features. This enables faster deployment and a smaller install package for applications that target the .NET Framework 4 Client Profile. For more information, see the MSDN article, .NET Framework Client Profile.

I have .NET Framework 3.0 Service Pack 2 installed; this version is not listed among the affected software in this bulletin. Do I need to install an update? 
This bulletin describes a vulnerability that affects the .NET Framework 2.0 feature layer. The .NET Framework 3.0 Service Pack 2 installer chains in the .NET Framework 2.0 Service Pack 2 setup, so installing the former also installs the latter. Therefore, customers who have.NET Framework 3.0 Service Pack 2 installed need to install security updates for .NET Framework 2.0 Service Pack 2.

I have .NET Framework 3.5 Service Pack 1 installed. Do I need to install any updates? 
This bulletin describes a vulnerability that affects the .NET Framework 2.0 feature layer. The .NET Framework 3.5 Service Pack 1 installer chains in both the .NET Framework 2.0 Service Pack 2 setup and the .NET Framework 3.0 Service Pack 2 setup. Therefore, customers who have .NET Framework 3.5 Service Pack 1 installed need to install security updates for.NET Framework 2.0 Service Pack 2.

 

  • Apply the update for affected releases of Microsoft .NET Framework 

    Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871. For customers who do not have automatic updating enabled, the steps in Turn automatic updating on or off can be used to enable automatic updating.

    For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update at the earliest opportunity using update management software, or by checking for updates using the Microsoft Update service. The updates are also accessible via the Microsoft Download center hyperlinks in the Affected Software table of this advisory. For information on how to manually apply the updates, see Microsoft Knowledge Base Article 2905247.

  • For administrators and enterprise installations with web-farm scenarios 
    Microsoft recommends following the guidance available in Microsoft Knowledge Base Article 2915218.

Additional Suggested Actions

  • Protect your PC 
    We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. For more information, see Microsoft Safety & Security Center.
  • Keep Microsoft Software Updated 
    Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed.

Windows Server 2003 (all editions)

Reference Table

The following table contains the security update information for this software.

Inclusion in Future Service Packs

The update for this issue will be included in a future service pack or update rollup.

Security update file names

For Microsoft .NET Framework 1.1 Service Pack 1 when installed on all supported 32-bit editions of Windows Server 2003 SP2:
WindowsServer2003-KB2894845-x86-ENU.exe


For Microsoft .NET Framework 2.0 Service Pack 2 when installed on all supported 32-bit editions of Windows Server 2003:
NDP20SP2-KB2894843-x86.exe


For Microsoft .NET Framework 4 when installed on all supported 32-bit editions of Windows Server 2003:
NDP40-KB2894842-V2-x86.exe


For Microsoft .NET Framework 2.0 Service Pack 2 when installed on all supported x64-based editions of Windows Server 2003:
NDP20SP2-KB2894843-x64.exe


For Microsoft .NET Framework 4 when installed on all supported x64-based editions of Windows Server 2003:
NDP40-KB2894842-V2-x64.exe


For Microsoft .NET Framework 2.0 Service Pack 2 when installed on all supported Itanium-based editions of Windows Server 2003:
NDP20SP2-KB2894843-IA64.exe


For Microsoft .NET Framework 4 when installed on all supported Itanium-based editions of Windows Server 2003:
NDP40-KB2894842-V2-IA64.exe

Installation switches

See Microsoft Knowledge Base Article 2844699

Update log file

For Microsoft .NET Framework 1.1 Service Pack 1 on Windows Server 2003 Service Pack 2:
KB2894845.log


For Microsoft .NET Framework 2.0 Service Pack 2:
Microsoft .NET Framework 2.0-KB2894843_*-msi0.txt
Microsoft .NET Framework 2.0-KB2894843_*.html


For Microsoft .NET Framework 4:
KB2894842_*_*-Microsoft .NET Framework 4 Client Profile-MSP0.txt
KB2894842_*_*.html

Restart requirement

In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.

To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012.

Removal information

Use the Add or Remove Programs item in Control Panel.

File information

See Microsoft Knowledge Base Article 2905247

Registry key verification

For Microsoft .NET Framework 1.1 Service Pack 1 on all supported 32-bit editions of Windows Server 2003:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP3\KB2894845\


For Microsoft .NET Framework 2.0 Service Pack 2:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 2.0 Service Pack 2\SP2\KB2894843
"ThisVersionInstalled" = "Y"


For Microsoft .NET Framework 4 when installed on all supported 32-bit editions of Windows Server 2003:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2894842v2
"ThisVersionInstalled" = "Y"


For Microsoft .NET Framework 4 when installed on all supported x64-based editions and Itanium-based editions of Windows Server 2003:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2894842v2
"ThisVersionInstalled" = "Y"

 

Windows Vista (all editions)

Reference Table

The following table contains the security update information for this software.

Inclusion in Future Service Packs

The update for this issue will be included in a future service pack or update rollup.

Security update file names

For Microsoft .NET Framework 2.0 Service Pack 2 on all supported 32-bit editions of Windows Vista:
Windows6.0-KB2894847-x86.msu


For Microsoft .NET Framework 4 when installed on all supported 32-bit editions of Windows Vista:
NDP40-KB2894842-V2-x86.exe


For Microsoft .NET Framework 4.5/4.5.1 when installed on all supported 32-bit editions of Windows Vista:
NDP45-KB2894854-V2-x86.exe


For Microsoft .NET Framework 2.0 Service Pack 2 on all supported x64-based editions of Windows Vista:
Windows6.0-KB2894847-x64.msu


For Microsoft .NET Framework 4 when installed on all supported x64-based editions of Windows Vista:
NDP40-KB2894842-V2-x64.exe


For Microsoft .NET Framework 4.5/4.5.1 when installed on all supported x64-based editions of Windows Vista:
NDP45-KB2894854-V2-x64.exe

Installation switches

See Microsoft Knowledge Base Article 2844699

Update log file

For Microsoft .NET Framework 2.0 Service Pack 2:
Not applicable


For Microsoft .NET Framework 4:
KB2894842_*_*-Microsoft .NET Framework 4 Client Profile-MSP0.txt
KB2894842_*_*.html


For Microsoft .NET Framework 4.5/4.5.1:
KB[nnnnnnn]_*_*-Microsoft .NET Framework [.NET target version]-MSP0.txt KB[nnnnnnn]_*_*.html

Restart requirement

This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.

Removal information

Click Control Panel, and then click Security. Under Windows Update, click View installed updates and select from the list of updates.

File information

See Microsoft Knowledge Base Article 2905247

Registry key verification

For Microsoft .NET Framework 2.0 Service Pack 2:
Note A registry key does not exist to validate the presence of this update. Use WMI to detect for the presence of this update.


For Microsoft .NET Framework 4 when installed on all supported 32-bit editions of Windows Vista:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2894842v2
"ThisVersionInstalled" = "Y"


For Microsoft .NET Framework 4 when installed on all supported x64-based and Itanium-based editions of Windows Vista:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2894842v2
"ThisVersionInstalled" = "Y"


For Microsoft .NET Framework 4.5/4.5.1:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework [.NET target version]\KB[nnnnnnn]v2
"ThisVersionInstalled" = "Y"

 

Windows Server 2008 (all editions)

Reference Table

The following table contains the security update information for this software.

Inclusion in Future Service Packs

The update for this issue will be included in a future service pack or update rollup

Security update file names

For Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2:
Windows6.0-KB2894847-x86.msu


For Microsoft .NET Framework 4 when installed on Windows Server 2008 for 32-bit Systems Service Pack 2:
NDP40-KB2894842-V2-x86.exe


For Microsoft .NET Framework 4.5/4.5.1 when installed on Windows Server 2008 for 32-bit Systems Service Pack 2:
NDP45-KB2894854-V2-x86.exe


For Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2:
Windows6.0-KB2894847-x64.msu


For Microsoft .NET Framework 4 when installed on Windows Server 2008 for x64-based Systems Service Pack 2:
NDP40-KB2894842-V2-x64.exe


For Microsoft .NET Framework 4.5/4.5.1 when installed on Windows Server 2008 for x64-based Systems Service Pack 2:
NDP45-KB2894854-V2-x64.exe


For Microsoft .NET Framework 2.0 Service Pack 2 on all supported Itanium-based editions of Windows Server 2008:
Windows6.0-KB2894847-ia64.msu


For Microsoft .NET Framework 4 when installed on Windows Server 2008 for Itanium-based Systems Service Pack 2:
NDP40-KB2894842-V2-IA64.exe

Installation switches

See Microsoft Knowledge Base Article 2844699

Update log file

For Microsoft .NET Framework 2.0 Service Pack 2:
Not applicable


For Microsoft .NET Framework 4:
KB2894842_*_*-Microsoft .NET Framework 4 Client Profile-MSP0.txt
KB2894842_*_*.html


For Microsoft .NET Framework 4.5/4.5.1:
KB[nnnnnnn]_*_*-Microsoft .NET Framework [.NET target version]-MSP0.txt KB[nnnnnnn]_*_*.html

Restart requirement

This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.

Removal information

Click Control Panel, and then click Security. Under Windows Update, click View installed updates and select from the list of updates.

File information

See Microsoft Knowledge Base Article 2905247

Registry key verification

For Microsoft .NET Framework 2.0 Service Pack 2:
Note A registry key does not exist to validate the presence of this update. Use WMI to detect for the presence of this update.


For Microsoft .NET Framework 4 when installed on all supported 32-bit editions of Windows Server 2008:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2894842v2
"ThisVersionInstalled" = "Y"


For Microsoft .NET Framework 4 when installed on all supported x64-based and Itanium-based editions of Windows Server 2008:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2894842v2
"ThisVersionInstalled" = "Y"


For Microsoft .NET Framework 4.5/4.5.1:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework [.NET target version]\KB[nnnnnnn]v2
"ThisVersionInstalled" = "Y"

 

Windows 7 (all editions)

Reference Table

The following table contains the security update information for this software.

Inclusion in Future Service Packs

The update for this issue will be included in a future service pack or update rollup

Security update file name

For Microsoft .NET Framework 3.5.1 on Windows 7 for 32-bit Systems Service Pack 1:
Windows6.1-KB2894844-x86.msu


For Microsoft .NET Framework 4 when installed on Windows 7 for 32-bit Systems Service Pack 1:
NDP40-KB2894842-V2-x86.exe


For Microsoft .NET Framework 4.5/4.5.1 when installed on Windows 7 for 32-bit Systems Service Pack 1:
NDP45-KB2894854-V2-x86.exe


For Microsoft .NET Framework 3.5.1 on Windows 7 for x64-based Systems Service Pack 1:
Windows6.1-KB2894844-x64.msu


For Microsoft .NET Framework 4 when installed on Windows 7 for x64-based Systems Service Pack 1:
NDP40-KB2894842-V2-x64.exe


For Microsoft .NET Framework 4.5.1 when installed on Windows 7 for x64-based Systems Service Pack 1:
NDP45-KB2894854-V2-x64.exe

Installation switches

See Microsoft Knowledge Base Article 2844699

Update log file

For Microsoft .NET Framework 3.5.1:
Not applicable


For Microsoft .NET Framework 4:
KB2894842_*_*-Microsoft .NET Framework 4 Client Profile-MSP0.txt
KB2894842_*_*.html


For Microsoft .NET Framework 4.5/4.5.1:
KB[nnnnnnn]_*_*-Microsoft .NET Framework [.NET target version]-MSP0.txt KB[nnnnnnn]_*_*.html

Restart requirement

This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.

Removal information

Click Control Panel, click System and Security, and then under Windows Update, click View installed updates and select from the list of updates.

File information

See Microsoft Knowledge Base Article 2905247

Registry key verification

For Microsoft .NET Framework 3.5.1:
Note A registry key does not exist to validate the presence of this update. Use WMI to detect for the presence of this update.


For Microsoft .NET Framework 4 when installed on all supported 32-bit editions of Windows 7:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2894842v2
"ThisVersionInstalled" = "Y"


For Microsoft .NET Framework 4 when installed on all supported x64-based editions of Windows 7:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2894842v2
"ThisVersionInstalled" = "Y"


For Microsoft .NET Framework 4.5/4.5.1:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework [.NET target version]\KB[nnnnnnn]v2
"ThisVersionInstalled" = "Y"

 

Windows Server 2008 R2 (all editions)

Reference Table

The following table contains the security update information for this software.

Inclusion in Future Service Packs

The update for this issue will be included in a future service pack or update rollup

Security update file name

For Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1:
Windows6.1-KB2894844-x64.msu


For Microsoft .NET Framework 4 when installed on Windows Server 2008 R2 for x64-based Systems Service Pack 1:
NDP40-KB2894842-V2-x64.exe


For Microsoft .NET Framework 4.5.1 when installed on Windows Server 2008 R2 for x64-based Systems Service Pack 1:
NDP45-KB2894854-V2-x64.exe


For Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for Itanium-based Systems Service Pack 1:
Windows6.1-KB2894844-ia64.msu


For Microsoft .NET Framework 4 when installed on Windows Server 2008 R2 for Itanium-based Systems Service Pack 1:
NDP40-KB2894842-V2-IA64.exe

Installation switches

See Microsoft Knowledge Base Article 2844699

Update log file

For Microsoft .NET Framework 3.5.1:
Not applicable


For Microsoft .NET Framework 4:
KB2894842_*_*-Microsoft .NET Framework 4 Client Profile-MSP0.txt
KB2894842_*_*.html


For Microsoft .NET Framework 4.5/4.5.1:
KB[nnnnnnn]_*_*-Microsoft .NET Framework [.NET target version]-MSP0.txt KB[nnnnnnn]_*_*.html

Restart requirement

This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.

Removal information

Click Control Panel, click System and Security, and then under Windows Update, click View installed updates and select from the list of updates.

File information

See Microsoft Knowledge Base Article 2905247

Registry key verification

For Microsoft .NET Framework 3.5.1:
Note A registry key does not exist to validate the presence of this update. Use WMI to detect for the presence of this update.


For Microsoft .NET Framework 4:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2894842v2
"ThisVersionInstalled" = "Y"


For Microsoft .NET Framework 4.5/4.5.1:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework [.NET target version]\KB[nnnnnnn]v2 "ThisVersionInstalled" = "Y"

 

Windows 8 (all editions) and Windows 8.1 (all editions)

Reference Table

The following table contains the security update information for this software.

Inclusion in Future Service Packs

The update for this issue will be included in a future service pack or update rollup

Security update file name

For Microsoft .NET Framework 3.5 on Windows 8 for 32-bit Systems:
Windows8-RT-KB2894851-x86.msu


For Microsoft .NET Framework 4.5/4.5.1 on Windows 8 for 32-bit Systems:
Windows8-RT-KB2894855-V2-x86.msu


For Microsoft .NET Framework 3.5 on Windows 8 for 64-bit Systems:
Windows8-RT-KB2894851-x64.msu


For Microsoft .NET Framework 4.5/4.5.1 on Windows 8 for 64-bit Systems:
Windows8-RT-KB2894855-V2-x64.msu


For Microsoft .NET Framework 3.5 on Windows 8.1 for 32-bit Systems:
Windows8.1-KB2894852-V2-x86.msu


For Microsoft .NET Framework 4.5.1 on Windows 8.1 for 32-bit Systems:
Windows8.1-KB2894856-V2-x86.msu


For Microsoft .NET Framework 3.5 on Windows 8.1 for 64-bit Systems:
Windows8.1-KB2894852-V2-x64.msu


For Microsoft .NET Framework 4.5.1 on Windows 8.1 for 64-bit Systems:
Windows8.1-KB2894856-V2-x64.msu

Installation switches

See Microsoft Knowledge Base Article 2844699

Restart requirement

This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.

Removal information

Click Control Panel, click System and Security, click Windows Update, and then under See also, click Installed updates and select from the list of updates.

File information

See Microsoft Knowledge Base Article 2905247

Registry key verification

For Microsoft .NET Framework 3.5:
Note A registry key does not exist to validate the presence of this update. Use WMI to detect for the presence of this update.


For Microsoft .NET Framework 4.5/4.5.1:

Note A registry key does not exist to validate the presence of this update. Use WMI to detect for the presence of this update.

 

Windows Server 2012 (all editions) and Windows Server 2012 R2 (all editions)

Reference Table

The following table contains the security update information for this software.

Inclusion in Future Service Packs

The update for this issue will be included in a future service pack or update rollup

Security update file name

For Microsoft .NET Framework 3.5 on Windows Server 2012:
Windows8-RT-KB2894851-x64.msu


For Microsoft .NET Framework 4.5/4.5.1 on Windows Server 2012:
Windows8-RT-KB2894855-V2-x64.msu


For Microsoft .NET Framework 3.5 on Windows Server 2012 R2:
Windows8.1-KB2894852-V2-x64.msu


For Microsoft .NET Framework 4.5.1 on Windows Server 2012 R2:
Windows8.1-KB2894856-V2-x64.msu

Installation switches

See Microsoft Knowledge Base Article 2844699

Restart requirement

This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.

Removal information

Click Control Panel, click System and Security, click Windows Update, and then under See also, click Installed updates and select from the list of updates.

File information

See Microsoft Knowledge Base Article 2905247

Registry key verification

Note A registry key does not exist to validate the presence of this update.

 

Windows RT (all editions) and Windows RT 8.1 (all editions)

Reference Table

The following table contains the security update information for this software.

Deployment

For Microsoft .NET Framework 4.5 and 4.5.1 on Windows RT:
The 2894855 update is available via Windows Update


For Microsoft .NET Framework 4.5.1 on Windows RT 8.1:
The 2894856 update is available via Windows Update

Restart Requirement

Yes, you must restart your system after you apply this security update.

Removal Information

Click Control Panel, click System and Security, click Windows Update, and then under See also, click Installed updates and select from the list of updates.

File Information

See Microsoft Knowledge Base Article 2905247

Feedback

Support

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

V1.0 (December 10, 2013): Advisory published.

V2.0 (September 9, 2013): Advisory rereleased to announce the offering of the security update via Microsoft Update, in addition to the Download-Center-only option that was provided when this advisory was originally released. Additionally, some of the updates were reissued to improve their quality. See the Update FAQ for details.

Page generated 2014-09-04 11:06Z-07:00.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2015 Microsoft