Microsoft Security Bulletin MS16-035 - Important

Published: March 8, 2016 | Updated: November 8, 2016

Version: 2.6

This security update resolves a vulnerability in the Microsoft .NET Framework. The security feature bypass exists in a .NET Framework component that does not properly validate certain elements of a signed XML document.

This security update is rated Important for Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6, and Microsoft .NET Framework 4.6.1 on affected releases of Microsoft Windows. For more information, see the Affected Software section.

The update addresses the vulnerability by correcting how the .NET Framework validates XML documents. For more information about the vulnerability, see the Vulnerability Information section.

For more information about this update, see Microsoft Knowledge Base Article 3141780.

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

The severity ratings indicated for each affected software assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin’s release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the March bulletin summary.

^[1]For information about changes in support for .NET Framework 4.x, see Internet Explorer and .NET Framework 4.x Support Announcements.

^[2]Windows RT 8.1 updates are available only via Windows Update.

^[3]Windows 10 updates are cumulative. In addition to containing non-security updates, they also contain all of the security fixes for all of the Windows 10-affected vulnerabilities shipping with the monthly security release. The updates are available via the Microsoft Update Catalog.

Note Windows Server Technical Preview 4 is affected. Customers running this operating system are encouraged to apply the update, which is available via Windows Update.

Why was this bulletin re-released on May 10, 2016?
To address certain printing issues customers may have experienced after installing the security updates for Microsoft .NET Framework 4.5.2 or Microsoft .NET Framework 4.6/4.6.1, the updates for these versions of Microsoft .NET Framework have been re-released as follows:

• The updates for Microsoft .NET Framework 4.5.2 have been re-released to Limited Distribution Release (LDR) customers only.
• The updates for Microsoft .NET Framework 4.6/4.6.1 have been re-released to all customers.

Please note that these re-releases are available via Windows Update and the Microsoft Update Catalog.

How do I determine which version of the Microsoft .NET Framework is installed?
You can install and run multiple versions of the .NET Framework on a system, and you can install the versions in any order. There are several ways to determine which versions of the .NET Framework are currently installed. For more information, see Microsoft Knowledge Base Article 318785.

There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Affected Software table for the software?
Yes. Customers should apply all updates offered for the software installed on their systems.

Do I need to install these security updates in a particular sequence?
No. Multiple updates for a given system can be applied in any sequence.

A security feature bypass vulnerability exists in a .NET Framework component that does not properly validate certain elements of a signed XML document. An attacker who successfully exploited the vulnerability could modify the contents of an XML file without invalidating the signature associated with the file. If a .NET application relies on the signature to be non-malicious, the behavior of the application could become unpredictable. In custom applications, the security impact depends on the specific usage scenario.

In a .NET application attack scenario, an attacker could modify the contents of an XML file without invalidating the signature associated with the file. The update addresses the vulnerability by correcting how the .NET Framework validates XML documents.

The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:

Microsoft has not identified any mitigating factors for this vulnerability.

Microsoft has not identified any workarounds for this vulnerability.

For Security Update Deployment information, see the Microsoft Knowledge Base article referenced in the Executive Summary.

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information.

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

• V1.0 (March 8, 2016): Bulletin published.
• V2.0 (May 10, 2016): Revised bulletin to announce the security updates for Microsoft .NET Framework 4.5.2 and Microsoft .NET Framework 4.6/4.6.1 have been rereleased to address issues with certain printing scenarios. The rereleases are available via Windows Update and the Microsoft Update Catalog. Note that this re-release applies only to LDR (Limited Distribution Release) customers. GDR (General Distribution Release) customers are not affected. For more information about the specific security updates that were re-released, see the Update FAQs section of this bulletin (MS16-035).
• V2.1 (May 18, 2016): Revised bulletin to clarify the distribution audience for the Microsoft .NET Framework 4.5.2 and Microsoft .NET Framework 4.6/4.6.1 security updates that were re-released on May 10, 2016, as follows: The security updates for Microsoft .NET Framework 4.5.2 have been re-released to Limited Distribution Release (LDR) customers only. The security updates for Microsoft .NET Framework 4.6/4.6.1 have been re-released to all customers.
• V2.2 (July 13, 2016): Revised bulletin to inform customers that the 3135996 update has been refreshed. This is an informational notification only. Customers who have already successfully installed the update do not need to take any further action.
• V2.3 (August 11, 2016): Revised bulletin to announce a detection change to correct an offering issue for 3135996. This is a detection change only. There were no changes to the update files. Customers who have already successfully installed the update do not need to take any action.
• V2.4 (August 11, 2016): Clarification to rev note v2.3 - A newer version of update 3135996 was made available to all customers, not only Limited Distribution Release (LDR) customers. Some customers may have not been offered this latest version between 7/13/2016 and 8/11/2016. The last version of update 3135996 released on 8/11/2016 will bring customers to an up to date state.
• V2.5 (October 11, 2016): Revised bulletin to announce the security updates 3135994 and 3135995 for Microsoft .NET Framework 4.5.2 on Windows Server 2012, Windows 8.1 and Windows Server 2012 R2 have been rereleased to the WSUS channel exclusively. This re-release does not apply to Windows Update or Microsoft Update Catalog customers. This re-release addresses an offering issue that prevented certain GDR customers within WSUS environments from receiving these updates if they had enabled the “automatically decline updates when a new revision causes them to expire” feature. There are no changes to the file payload. If customers have already successfully deployed updates 3135994 and 3135995, they do not need to take any action.
• V2.6 (November 8, 2016): Revised bulletin to announce that a detection change was made to account for .NET Framework 4.6.1 hotfix rollup customers who were not being properly offered security updates applicable to .NET Framework 4.6.1.

Page generated 2016-11-28 12:58-08:00.