January fix holes in the .NET Framework and Core

    Right at the end of the New Year holidays in Russia, on January 9th, Microsoft released updates that fix CVE-2018-0786 and CVE-2018-0764 . They repaired it so that in some places they broke it. In this short post we will once again recall what it is and what we should do now.


    To illustrate this hubrapost, I tried to portray a sieve. As you can see, I didn’t succeed. Unfortunately, making a sieve in the code is much easier than portraying it by picking up a graphics tablet for the first time.



    Am I at stake too?


    If you use the .NET Framework, you need to make sure that you have version 4.7.1 installed and Windows has installed the .NET Framework update January 2018 Security and Quality Rollup ( KB4055002 ). Or at least Security-Only Update ( KB4054183 ).
    If this is not the case, you have a problem.


    You can check the version of the .NET Framework itself using the instructions at the link . In order not to check each time with my hands, there is a script for Power Shell .


    If you use .NET Core, then you need to go to the file system and see which version of the runtime is installed. If there is no directory 1.0.9, 1.1.6or 2.0.5, then you have a problem!


    Where to see:


    WindowsC: \ Program Files \ dotnet \ shared \ Microsoft.NETCore.App \
    macOS/usr/local/share/dotnet/shared/Microsoft.NETCore.App/
    GNU / Linux/usr/share/dotnet/shared/Microsoft.NETCore.App/

    The exact list of vulnerable versions of .NET Core:


    Runtime versionFixed in version
    1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.7, 1.0.81.0.9
    1.1.0, 1.1.1, 1.1.2, 1.1.4, 1.1.51.1.6
    2.0.0, 2.0.3, 2.0.42.0.5

    What to do?


    Developers will have to upgrade the .NET Framework to 4.7.1 and update Windows with the latest updates . Not on all versions of Windows, this update works well (read the article to the end).


    The .NET Core SDK needs to be updated to 2.1.4or 1.1.7. System administrators need to upgrade .NET Core to 1.0.9, 1.1.6or 2.0.5.


    Self-contained applications will have to be rebuilt, in other cases, updating the runtime and SDK is enough.


    CVE-2018-0764: Denial of Service when parsing XML documents


    Official links



    What happened?


    The .NET Framework and Core are bad at parsing XML, taking advantage of which, a hacker can launch a DDOS attack on your application.


    In the update, they fixed it. Exploits were not publicly distributed.




    CVE-2018-0786: Security Feature Bypass in X509 Certificate Validation


    Official links



    What happened?


    In the public versions of the .NET Framework and Core, there is a vulnerability that allows a hacker to slip a certificate that is marked invalid for a specific method of use, and nevertheless use it for this purpose. This allows you to ignore Enhanced Key Usage.


    In the update, they fixed it. Exploits were not publicly distributed.


    Do I need to update packages?


    Vulnerability is affected by the package Microsoft.NETCore.UniversalWindowsPlatform.
    The package version is listed along with its corresponding version of .NET Native.


    NuGet / .NET NativeFixed in version
    5.2. * / 1.4. *5.2.4
    5.3. * / 1.6. *5.3.5
    5.4. * / 1.7. *5.4.2
    6.0. * / 2.0. *6.0.6

    How to fix my application if I use .NET Core?


    The application type is important for this bug:



    Regular applications can be repaired by simply installing the desired version of the SDK or runtime on which you are running. You can download it here .


    Self-contained applications will have to be rebuilt with the freshly updated SDK and redeployed.


    Next, let's talk about native applications. You need to process it again with the native compiler of the updated SDK and transfer the result to the Windows Store.


    MS recommends updating the UWP application to the latest minor version of the NuGet package Microsoft.NETCore.UniversalWindowsPlatformso that you can rebuild the application and understand that it has not collapsed. You can, of course, upgrade immediately to a more recent major version, but this is not necessary - an update is issued for all major versions that have suffered from a bug.


    Regardless of whether you have updated your NuGet packages, all applications uploaded after January 9 will be automatically repaired directly during uploading.


    If you do not update your application in the store, it will still be automatically processed and sent via Windows Update in the coming weeks. Anyone who doesn’t have auto-updates turned off will receive an updated version without the need for manual intervention by anyone. But for sideloaded applications, you will have to update NuGet packages yourself, rebuild them and deliver them to users.


    Updates will break Windows 7 and Windows Server when using the .NET Framework


    According to this still open bug , the patch not only heals, but also cripples. The problem only occurs when using Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1.


    It is enough to install updates or the .NET Framework 4.7.1, as WPF applications requesting a fallback font (or a character not included in the current font) will fall off with the following error:


    System.TypeInitializationException
    “FileFormatException: No FontFamily element foundin FontFamilyCollection 
    that matches current OS or greater: Win7SP1”.
    Innerexception originates from: CompositeFontParser

    The problem is that the installer does not properly handle the interaction between the update installer (.NET Framework January 2018 Rollup - KB4055002) and the already installed .NET Framework 4.7.1. The Rollup installer accidentally overwrites the GlobalUserInterface.CompositeFont file, which came with version 4.7.1, which is why WPF applications are starting to crash.


    There are three solutions.


    Method One: Uninstall January Updates


    You must remove: "January .NET Framework Security and Quality Rollup ( KB4055002 )."


    And instead install: "January .NET Framework Security-Only Update ( KB4054183 )."


    To do this, follow these steps:


    1. Control Panel → Windows Update → View update history
    2. In the list "Review your update history" find and select "Security Update for Microsoft .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 (KB4055002)". Click Uninstall.
    3. When asked whether to really delete - agree.
    4. Be sure to restart your computer if asked to.
    5. Download and install the security patch of the version you need:
    6. Do everything that you are asked, and in the end - be sure to restart the computer.

    Method two: remove the .NET Framework 4.7.1, install the .NET Framework 4.7


    1. Control Panel → Programs and Features
    2. In the "Uninstall or change a program" list, highlight "Microsoft .NET Framework 4.7.1" and click Uninstall / Change.
    3. Select "Remove .NET Framework 4.7.1 from this computer", and click Next.
    4. Click continue and wait for deletion.
    5. Click Finish when the uninstall completes.
    6. Be sure to restart your computer if asked to.
    7. Install the .NET Framework 4.7 .

    Method three: replace GlobalUserInterface.CompositeFontwith the correct file


    1. Download GlobalUserInterface.CompositeFont (for Windows 7, standard installation path - %USERPROFILE%\Downloads)
    2. Open cmd, navigate to %windir%\Microsoft.NET\Framework\v4.0.30319\WPF\Fontsand run:
      xcopy /y %USERPROFILE%\Downloads\GlobalUserInterface.CompositeFont.
      (or just paste the GlobalUserInterface.Composite file to this place)
    3. Open cmd, navigate to %windir%\Microsoft.NET\Framework64\v4.0.30319\WPF\Fontsand run:
      xcopy /y %USERPROFILE%\Downloads\GlobalUserInterface.CompositeFont.
      (or use the copy-paste file in the Explorer again).
    4. Restart the WPF application.
    5. If all else fails, restart your computer and restart the WPF application again.

    Summary


    Even very good and high-quality projects contain errors. In order not to get into trouble, you need to update on time, read official news and study current trends at conferences like DotNext , of course. Saving the drowning is the work of the drowning!


    Also popular now: